├── test
├── tools
│ ├── issuer
│ │ ├── .gitignore
│ │ ├── Dockerfile
│ │ ├── cmd
│ │ │ ├── main.go
│ │ │ └── options
│ │ │ │ └── options.go
│ │ └── pkg
│ │ │ └── issuer
│ │ │ └── issuer.go
│ ├── audit-webhook
│ │ ├── .gitignore
│ │ ├── Dockerfile
│ │ ├── cmd
│ │ │ ├── main.go
│ │ │ └── options
│ │ │ │ └── options.go
│ │ └── pkg
│ │ │ └── sink
│ │ │ └── sink.go
│ └── fake-apiserver
│ │ ├── .gitignore
│ │ ├── Dockerfile
│ │ ├── cmd
│ │ ├── options
│ │ │ └── options.go
│ │ └── main.go
│ │ └── pkg
│ │ └── server
│ │ └── server.go
├── util
│ ├── strings.go
│ └── tls.go
├── e2e
│ ├── framework
│ │ ├── helper
│ │ │ ├── helper.go
│ │ │ ├── requester.go
│ │ │ ├── kubectl.go
│ │ │ ├── secrets.go
│ │ │ └── token.go
│ │ ├── config
│ │ │ └── config.go
│ │ └── util.go
│ └── suite
│ │ ├── cases
│ │ ├── doc.go
│ │ ├── probe
│ │ │ └── probe.go
│ │ ├── token
│ │ │ └── token.go
│ │ └── headers
│ │ │ └── headers.go
│ │ ├── suite_test.go
│ │ └── suite.go
└── environment
│ └── environment.go
├── .dockerignore
├── pkg
├── mocks
│ ├── .gitignore
│ └── mocks.go
├── util
│ ├── port.go
│ ├── signals.go
│ ├── token.go
│ └── flags
│ │ ├── string_to_string_slice_test.go
│ │ └── string_to_string_slice.go
├── proxy
│ ├── audit
│ │ ├── handler.go
│ │ └── audit.go
│ ├── hooks
│ │ └── hooks.go
│ ├── tokenreview
│ │ ├── fake
│ │ │ └── tokenreview.go
│ │ ├── tokenreview.go
│ │ └── tokenreview_test.go
│ ├── logging
│ │ ├── accesslog_test.go
│ │ └── accesslog.go
│ ├── subjectaccessreview
│ │ └── fake
│ │ │ └── subjectaccessreview.go
│ └── context
│ │ └── context.go
└── probe
│ ├── probe.go
│ └── probe_test.go
├── demo
├── manifests
│ ├── .gitignore
│ ├── vendor
│ │ └── kube-prod-runtime
│ │ │ ├── VERSION
│ │ │ ├── components
│ │ │ ├── fluentd-es-config
│ │ │ │ ├── system.conf
│ │ │ │ ├── fluentd.conf
│ │ │ │ ├── output.conf
│ │ │ │ ├── monitoring.conf
│ │ │ │ └── import-from-upstream.py
│ │ │ ├── images.json
│ │ │ ├── elasticsearch-config
│ │ │ │ └── java.security
│ │ │ ├── alertmanager-config.jsonnet
│ │ │ ├── version.jsonnet
│ │ │ ├── oauth2-proxy.jsonnet
│ │ │ ├── externaldns.jsonnet
│ │ │ └── kibana.jsonnet
│ │ │ ├── Makefile
│ │ │ ├── tests
│ │ │ ├── aks.jsonnet
│ │ │ └── gke.jsonnet
│ │ │ └── lib
│ │ │ └── utils.libsonnet
│ ├── jsonnetfile.json
│ ├── jsonnetfile.lock.json
│ └── components
│ │ ├── landingpage
│ │ ├── google.svg
│ │ ├── index.html
│ │ └── amazon.svg
│ │ ├── contour-clusterrole.json
│ │ ├── cert-manager.jsonnet
│ │ ├── base32.libsonnet
│ │ └── gangway.jsonnet
├── infrastructure
│ ├── amazon
│ │ ├── .gitignore
│ │ ├── suffix.tf
│ │ ├── secrets.tf
│ │ ├── dns.tf
│ │ ├── providers.tf
│ │ └── outputs.tf
│ ├── digitalocean
│ │ ├── .gitignore
│ │ ├── suffix.tf
│ │ ├── secrets.tf
│ │ ├── dns.tf
│ │ ├── providers.tf
│ │ └── outputs.tf
│ ├── .gitignore
│ ├── google
│ │ ├── suffix.tf
│ │ ├── secrets.tf
│ │ ├── variables.tf
│ │ ├── cluster.tf
│ │ ├── dns.tf
│ │ ├── providers.tf
│ │ └── output.tf
│ └── modules
│ │ ├── digitalocean-cluster
│ │ ├── outputs.tf
│ │ └── cluster.tf
│ │ ├── amazon-cluster
│ │ ├── outputs.tf
│ │ └── cluster.tf
│ │ ├── ca
│ │ └── ca.tf
│ │ ├── oauth2-secrets
│ │ └── secrets.tf
│ │ ├── gangway
│ │ └── secrets.tf
│ │ ├── google-dns
│ │ └── dns.tf
│ │ └── google-cluster
│ │ └── cluster.tf
├── .gitignore
└── config.dist.jsonnet
├── .gitignore
├── hack
├── boilerplate
│ ├── boilerplate.go.txt
│ ├── boilerplate.py.txt
│ ├── boilerplate.sh.txt
│ ├── boilerplate.Dockerfile.txt
│ ├── boilerplate.Makefile.txt
│ ├── test
│ │ ├── pass.go
│ │ ├── fail.go
│ │ ├── pass.py
│ │ └── fail.py
│ └── boilerplate_test.py
├── tools
│ └── tools.go
├── docker-start-wrapper.sh
├── version-ldflags.sh
├── verify-boilerplate.sh
└── update-vendor.sh
├── OWNERS
├── deploy
├── charts
│ └── kube-oidc-proxy
│ │ ├── templates
│ │ ├── serviceaccount.yaml
│ │ ├── tests
│ │ │ └── test-connection.yaml
│ │ ├── clusterrolebinding.yaml
│ │ ├── poddisruptionbudget.yaml
│ │ ├── clusterrole.yaml
│ │ ├── service.yaml
│ │ ├── ingress.yaml
│ │ ├── secret_config.yaml
│ │ ├── NOTES.txt
│ │ ├── secret_tls.yaml
│ │ └── _helpers.tpl
│ │ ├── Chart.yaml
│ │ ├── .helmignore
│ │ ├── README.md
│ │ └── values.yaml
└── yaml
│ └── secrets.yaml
├── cmd
├── app
│ └── options
│ │ ├── plugin.go
│ │ ├── audit.go
│ │ ├── serving.go
│ │ ├── client.go
│ │ ├── misc.go
│ │ ├── options.go
│ │ ├── oidc.go
│ │ └── app.go
└── main.go
├── Dockerfile
├── docs
└── tasks
│ ├── auditing.md
│ ├── no-impersonation.md
│ ├── token-passthrough.md
│ ├── extra-impersonation-headers.md
│ └── development-testing.md
├── CONTRIBUTING.md
├── GenGitChangeLog.py
├── CHANGELOG.md
├── patchlog.txt
├── CODE_OF_CONDUCT.md
└── .github
└── workflows
└── build.yaml
/test/tools/issuer/.gitignore:
--------------------------------------------------------------------------------
1 | /bin
2 |
--------------------------------------------------------------------------------
/.dockerignore:
--------------------------------------------------------------------------------
1 | !/bin/kube-oidc-proxy
2 |
--------------------------------------------------------------------------------
/pkg/mocks/.gitignore:
--------------------------------------------------------------------------------
1 | /authenticator.go
2 |
--------------------------------------------------------------------------------
/test/tools/audit-webhook/.gitignore:
--------------------------------------------------------------------------------
1 | /bin
2 |
--------------------------------------------------------------------------------
/test/tools/fake-apiserver/.gitignore:
--------------------------------------------------------------------------------
1 | /bin
2 |
--------------------------------------------------------------------------------
/demo/manifests/.gitignore:
--------------------------------------------------------------------------------
1 | /config.json
2 | /*-config.json
3 |
--------------------------------------------------------------------------------
/demo/manifests/vendor/kube-prod-runtime/VERSION:
--------------------------------------------------------------------------------
1 | dev-untagged
2 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | /kube-oidc-proxy
2 | /bin
3 | /demo/config.jsonnet
4 | /artifacts/
5 |
--------------------------------------------------------------------------------
/demo/infrastructure/amazon/.gitignore:
--------------------------------------------------------------------------------
1 | /config-map-aws-auth_*
2 | /kubeconfig_*
3 |
--------------------------------------------------------------------------------
/demo/.gitignore:
--------------------------------------------------------------------------------
1 | /secrets
2 | /.kubeconfig-*
3 | /bin/
4 | /.backup-certificates.yaml
5 |
--------------------------------------------------------------------------------
/demo/infrastructure/digitalocean/.gitignore:
--------------------------------------------------------------------------------
1 | /config-map-aws-auth_*
2 | /kubeconfig_*
3 |
--------------------------------------------------------------------------------
/hack/boilerplate/boilerplate.go.txt:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 |
--------------------------------------------------------------------------------
/hack/boilerplate/boilerplate.py.txt:
--------------------------------------------------------------------------------
1 | # Copyright Jetstack Ltd. See LICENSE for details.
2 |
--------------------------------------------------------------------------------
/hack/boilerplate/boilerplate.sh.txt:
--------------------------------------------------------------------------------
1 | # Copyright Jetstack Ltd. See LICENSE for details.
2 |
--------------------------------------------------------------------------------
/demo/infrastructure/.gitignore:
--------------------------------------------------------------------------------
1 | .terraform/
2 | *.tfstate
3 | *.tfstate.backup
4 | *.tfvars
5 |
--------------------------------------------------------------------------------
/hack/boilerplate/boilerplate.Dockerfile.txt:
--------------------------------------------------------------------------------
1 | # Copyright Jetstack Ltd. See LICENSE for details.
2 |
--------------------------------------------------------------------------------
/hack/boilerplate/boilerplate.Makefile.txt:
--------------------------------------------------------------------------------
1 | # Copyright Jetstack Ltd. See LICENSE for details.
2 |
--------------------------------------------------------------------------------
/OWNERS:
--------------------------------------------------------------------------------
1 | approvers:
2 | - simonswine
3 | - joshvanl
4 | reviewers:
5 | - simonswine
6 | - joshvanl
7 |
--------------------------------------------------------------------------------
/demo/infrastructure/amazon/suffix.tf:
--------------------------------------------------------------------------------
1 | resource "random_id" "suffix" {
2 | byte_length = 4
3 | }
4 |
--------------------------------------------------------------------------------
/demo/infrastructure/google/suffix.tf:
--------------------------------------------------------------------------------
1 | resource "random_id" "suffix" {
2 | byte_length = 4
3 | }
4 |
--------------------------------------------------------------------------------
/demo/infrastructure/digitalocean/suffix.tf:
--------------------------------------------------------------------------------
1 | resource "random_id" "suffix" {
2 | byte_length = 4
3 | }
4 |
--------------------------------------------------------------------------------
/demo/infrastructure/amazon/secrets.tf:
--------------------------------------------------------------------------------
1 | module "gangway" {
2 | source = "../modules/gangway"
3 | length = 24
4 | }
5 |
--------------------------------------------------------------------------------
/demo/infrastructure/google/secrets.tf:
--------------------------------------------------------------------------------
1 | module "gangway" {
2 | source = "../modules/gangway"
3 | length = 24
4 | }
5 |
--------------------------------------------------------------------------------
/demo/infrastructure/digitalocean/secrets.tf:
--------------------------------------------------------------------------------
1 | module "gangway" {
2 | source = "../modules/gangway"
3 | length = 24
4 | }
5 |
--------------------------------------------------------------------------------
/demo/manifests/vendor/kube-prod-runtime/components/fluentd-es-config/system.conf:
--------------------------------------------------------------------------------
1 |
2 | root_dir /tmp/fluentd-buffers/
3 |
4 |
--------------------------------------------------------------------------------
/demo/manifests/vendor/kube-prod-runtime/components/fluentd-es-config/fluentd.conf:
--------------------------------------------------------------------------------
1 | # Include config files in the ./config.d directory
2 | @include config.d/*.conf
3 |
--------------------------------------------------------------------------------
/demo/infrastructure/modules/digitalocean-cluster/outputs.tf:
--------------------------------------------------------------------------------
1 | output "kubeconfig" {
2 | value = "${digitalocean_kubernetes_cluster.cluster.kube_config.0.raw_config}"
3 | }
4 |
--------------------------------------------------------------------------------
/demo/infrastructure/modules/amazon-cluster/outputs.tf:
--------------------------------------------------------------------------------
1 | output "cluster_node_arn" {
2 | value = "${module.eks.worker_iam_role_arn}"
3 | }
4 |
5 | output "kubeconfig" {
6 | value = "${module.eks.kubeconfig}"
7 | }
8 |
--------------------------------------------------------------------------------
/demo/infrastructure/google/variables.tf:
--------------------------------------------------------------------------------
1 | variable "cluster_provider" {
2 | default = "google"
3 | }
4 |
5 | variable "dns_provider" {
6 | default = "google"
7 | }
8 |
9 | variable "oidc_provider" {
10 | default = "dex"
11 | }
12 |
--------------------------------------------------------------------------------
/deploy/charts/kube-oidc-proxy/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | labels:
5 | {{ include "kube-oidc-proxy.labels" . | indent 4 }}
6 | name: {{ include "kube-oidc-proxy.fullname" . }}
7 |
8 |
--------------------------------------------------------------------------------
/cmd/app/options/plugin.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package options
3 |
4 | import (
5 | // This package is required to be imported to register all client
6 | // plugins.
7 | _ "k8s.io/client-go/plugin/pkg/client/auth"
8 | )
9 |
--------------------------------------------------------------------------------
/pkg/mocks/mocks.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package mocks
3 |
4 | // This package contains generated mocks
5 |
6 | //go:generate mockgen -package=mocks -destination authenticator.go k8s.io/apiserver/pkg/authentication/authenticator Token
7 |
--------------------------------------------------------------------------------
/demo/infrastructure/google/cluster.tf:
--------------------------------------------------------------------------------
1 | module "cluster" {
2 | source = "../modules/google-cluster"
3 | suffix = "${random_id.suffix.hex}"
4 | zone = "${var.google_zone}"
5 | }
6 |
7 | output "cluster_kubeconfig" {
8 | value = "${module.cluster.kubeconfig}"
9 | }
10 |
--------------------------------------------------------------------------------
/demo/infrastructure/google/dns.tf:
--------------------------------------------------------------------------------
1 | module "dns" {
2 | source = "../modules/google-dns"
3 | suffix = "${random_id.suffix.hex}"
4 | }
5 |
6 | module "ca" {
7 | source = "../modules/ca"
8 |
9 | ca_crt_file = "${var.ca_crt_file}"
10 | ca_key_file = "${var.ca_key_file}"
11 | }
12 |
--------------------------------------------------------------------------------
/deploy/charts/kube-oidc-proxy/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | appVersion: "v1.0.0"
3 | description: A Helm chart for kube-oidc-proxy
4 | home: https://github.com/jetstack/kube-oidc-proxy
5 | name: kube-oidc-proxy
6 | version: 0.3.2
7 | maintainers:
8 | - name: mhrabovcin
9 | - name: joshvanl
10 |
--------------------------------------------------------------------------------
/hack/tools/tools.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | //go:build tools
3 | // +build tools
4 |
5 | package tools
6 |
7 | // This file is used to vendor packages we use to build binaries.
8 | // This is the current canonical way with go modules.
9 |
10 | import (
11 | _ "github.com/golang/mock/mockgen"
12 | )
13 |
--------------------------------------------------------------------------------
/test/tools/audit-webhook/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright Jetstack Ltd. See LICENSE for details.
2 | FROM alpine:3.10
3 |
4 | LABEL description="A audit webhook sink to read audit events and write to file."
5 |
6 | RUN apk --no-cache add ca-certificates
7 |
8 | COPY ./bin/audit-webhook /usr/bin/audit-webhook
9 |
10 | CMD ["/usr/bin/audit-webhook"]
11 |
--------------------------------------------------------------------------------
/test/tools/issuer/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright Jetstack Ltd. See LICENSE for details.
2 | FROM alpine:3.10
3 |
4 | LABEL description="A basic OIDC issuer that prsents a well-known and certs endpoint."
5 |
6 | RUN apk --no-cache add ca-certificates
7 |
8 | COPY ./bin/oidc-issuer-linux /usr/bin/oidc-issuer
9 |
10 | CMD ["/usr/bin/oidc-issuer"]
11 |
--------------------------------------------------------------------------------
/test/tools/fake-apiserver/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright Jetstack Ltd. See LICENSE for details.
2 | FROM alpine:3.10
3 |
4 | LABEL description="A fake API server that will respond to requests with the same body and headers."
5 |
6 | RUN apk --no-cache add ca-certificates
7 |
8 | COPY ./bin/fake-apiserver-linux /usr/bin/fake-apiserver
9 |
10 | CMD ["/usr/bin/fake-apiserver"]
11 |
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | # Copyright Jetstack Ltd. See LICENSE for details.
2 | FROM ubuntu:22.04
3 | LABEL description="OIDC reverse proxy authenticator based on Kubernetes"
4 |
5 | ARG TARGETARCH
6 |
7 | RUN apt-get update;apt-get -y install ca-certificates;apt-get -y upgrade;apt-get clean;rm -rf /var/lib/apt/lists/*
8 |
9 | COPY bin/${TARGETARCH}/kube-oidc-proxy /usr/bin/
10 |
11 | CMD ["/usr/bin/kube-oidc-proxy"]
12 |
--------------------------------------------------------------------------------
/demo/manifests/jsonnetfile.json:
--------------------------------------------------------------------------------
1 | {
2 | "dependencies": [
3 | {
4 | "name": "kube-prod-runtime",
5 | "source": {
6 | "git": {
7 | "remote": "https://github.com/bitnami/kube-prod-runtime.git",
8 | "subdir": "manifests"
9 | }
10 | },
11 | "version": "v1.1.2"
12 | }
13 | ]
14 | }
--------------------------------------------------------------------------------
/hack/docker-start-wrapper.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | set -o errexit
4 | set -o nounset
5 | set -o pipefail
6 |
7 | export KUBE_ROOT=$(dirname "${BASH_SOURCE}")/..
8 |
9 | # start docker
10 | /etc/init.d/docker start
11 |
12 | # wait for it to be started
13 | n=0
14 | until [ $n -ge 15 ]
15 | do
16 | docker info > /dev/null && break
17 | n=$[$n+1]
18 | sleep 1
19 | done
20 |
21 | exec $@
22 |
--------------------------------------------------------------------------------
/demo/infrastructure/modules/ca/ca.tf:
--------------------------------------------------------------------------------
1 | variable "ca_crt_file" {}
2 | variable "ca_key_file" {}
3 |
4 | data "local_file" "crt_file" {
5 | filename = "${var.ca_crt_file}"
6 | }
7 |
8 | data "local_file" "key_file" {
9 | filename = "${var.ca_key_file}"
10 | }
11 |
12 |
13 | output "crt" {
14 | value = "${data.local_file.crt_file.content}"
15 | }
16 |
17 | output "key" {
18 | value = "${data.local_file.key_file.content}"
19 | }
20 |
--------------------------------------------------------------------------------
/demo/manifests/jsonnetfile.lock.json:
--------------------------------------------------------------------------------
1 | {
2 | "dependencies": [
3 | {
4 | "name": "kube-prod-runtime",
5 | "source": {
6 | "git": {
7 | "remote": "https://github.com/bitnami/kube-prod-runtime.git",
8 | "subdir": "manifests"
9 | }
10 | },
11 | "version": "edcd38494e95f7af2571b24d52301859719c56e5"
12 | }
13 | ]
14 | }
--------------------------------------------------------------------------------
/pkg/util/port.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package util
3 |
4 | import (
5 | "net"
6 | "strconv"
7 | )
8 |
9 | func FreePort() (string, error) {
10 | l, err := net.ListenTCP("tcp", &net.TCPAddr{
11 | IP: net.ParseIP("127.0.0.1"),
12 | Port: 0,
13 | })
14 | if err != nil {
15 | return "", err
16 | }
17 | defer l.Close()
18 |
19 | port := l.Addr().(*net.TCPAddr).Port
20 | return strconv.Itoa(port), nil
21 | }
22 |
--------------------------------------------------------------------------------
/demo/infrastructure/amazon/dns.tf:
--------------------------------------------------------------------------------
1 | data "external" "cert_manager" {
2 | program = ["jq", ".cert_manager", "../../manifests/google-config.json"]
3 | query = { }
4 | }
5 |
6 | data "external" "externaldns" {
7 | program = ["jq", ".externaldns", "../../manifests/google-config.json"]
8 | query = { }
9 | }
10 |
11 | module "ca" {
12 | source = "../modules/ca"
13 |
14 | ca_crt_file = "${var.ca_crt_file}"
15 | ca_key_file = "${var.ca_key_file}"
16 | }
17 |
--------------------------------------------------------------------------------
/demo/infrastructure/digitalocean/dns.tf:
--------------------------------------------------------------------------------
1 | data "external" "cert_manager" {
2 | program = ["jq", ".cert_manager", "../../manifests/google-config.json"]
3 | query = {}
4 | }
5 |
6 | data "external" "externaldns" {
7 | program = ["jq", ".externaldns", "../../manifests/google-config.json"]
8 | query = {}
9 | }
10 |
11 | module "ca" {
12 | source = "../modules/ca"
13 |
14 | ca_crt_file = "${var.ca_crt_file}"
15 | ca_key_file = "${var.ca_key_file}"
16 | }
17 |
--------------------------------------------------------------------------------
/docs/tasks/auditing.md:
--------------------------------------------------------------------------------
1 | # Auditing
2 |
3 | kube-oidc-proxy allows for the ability to audit requests to the proxy. The proxy
4 | exposes all the same options for auditing that the Kubernetes API server
5 | provides, however does _not_ support dynamic configuration
6 | (`--audit-dynamic-configuration`).
7 |
8 | You can read more on how to configure and manage auditing in the [Kubernetes
9 | documentation](https://kubernetes.io/docs/tasks/debug-application-cluster/audit).
10 |
--------------------------------------------------------------------------------
/demo/manifests/vendor/kube-prod-runtime/Makefile:
--------------------------------------------------------------------------------
1 | KUBECFG = kubecfg
2 |
3 | COMPONENTS := $(wildcard components/*.jsonnet)
4 | PLATFORMS := $(wildcard tests/*.jsonnet)
5 |
6 | JFILES := \
7 | $(wildcard */*.libsonnet) \
8 | $(COMPONENTS) $(PLATFORMS)
9 |
10 | validate: $(PLATFORMS:%.jsonnet=%.jsonnet-validate)
11 |
12 | %.jsonnet-validate: %.jsonnet $(JFILES)
13 | $(KUBECFG) validate --ignore-unknown $<
14 |
15 | .PHONY: all validate
16 | .PHONY: %.jsonnet-validate
17 |
--------------------------------------------------------------------------------
/demo/infrastructure/modules/oauth2-secrets/secrets.tf:
--------------------------------------------------------------------------------
1 | variable "length" {}
2 |
3 | resource "random_string" "client_id" {
4 | length = "${var.length}"
5 | special = false
6 | }
7 |
8 | resource "random_string" "client_secret" {
9 | length = "${var.length}"
10 | special = false
11 | }
12 |
13 | output "config" {
14 | value = {
15 | client_id = "${random_string.client_id.result}"
16 | client_secret = "${random_string.client_secret.result}"
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/deploy/charts/kube-oidc-proxy/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *~
18 | # Various IDEs
19 | .project
20 | .idea/
21 | *.tmproj
22 | .vscode/
23 |
--------------------------------------------------------------------------------
/demo/infrastructure/google/providers.tf:
--------------------------------------------------------------------------------
1 | variable "google_region" {
2 | default = "europe-west1"
3 | }
4 |
5 | variable "google_zone" {
6 | default = "europe-west1-d"
7 | }
8 |
9 | variable "google_project" {}
10 |
11 | variable "ca_crt_file" {}
12 | variable "ca_key_file" {}
13 |
14 | provider "google" {
15 | region = "${var.google_region}"
16 | credentials = "${file("~/.config/gcloud/terraform-admin.json")}"
17 | project = "${var.google_project}"
18 | version = "~> 2.0"
19 | }
20 |
--------------------------------------------------------------------------------
/cmd/main.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package main
3 |
4 | import (
5 | "fmt"
6 | "os"
7 |
8 | "github.com/jetstack/kube-oidc-proxy/cmd/app"
9 | "github.com/jetstack/kube-oidc-proxy/pkg/util"
10 | "k8s.io/klog/v2"
11 | )
12 |
13 | func main() {
14 | klog.InitFlags(nil)
15 | stopCh := util.SignalHandler()
16 | cmd := app.NewRunCommand(stopCh)
17 |
18 | if err := cmd.Execute(); err != nil {
19 | fmt.Fprintf(os.Stderr, "error: %v\n", err)
20 | os.Exit(1)
21 | }
22 | }
23 |
--------------------------------------------------------------------------------
/demo/infrastructure/digitalocean/providers.tf:
--------------------------------------------------------------------------------
1 | provider "digitalocean" {}
2 |
3 | variable "digitalocean_region" {
4 | default = "fra1"
5 | }
6 |
7 | variable "cluster_version" {
8 | default = "1.16.2-do.1"
9 | }
10 |
11 | module "cluster" {
12 | source = "../modules/digitalocean-cluster"
13 | suffix = "${random_id.suffix.hex}"
14 |
15 | cluster_version = "${var.cluster_version}"
16 | region = "${var.digitalocean_region}"
17 | }
18 |
19 | variable "ca_crt_file" {}
20 | variable "ca_key_file" {}
21 |
--------------------------------------------------------------------------------
/demo/infrastructure/modules/gangway/secrets.tf:
--------------------------------------------------------------------------------
1 | variable "length" {}
2 |
3 | resource "random_id" "session_security_key" {
4 | byte_length = "32"
5 | }
6 |
7 | module "oauth2" {
8 | source = "../oauth2-secrets"
9 | length = "${var.length}"
10 | }
11 |
12 | resource "random_string" "client_secret" {
13 | length = "${var.length}"
14 | special = false
15 | }
16 |
17 | output "config" {
18 | value = "${merge(module.oauth2.config,map("session_security_key",random_id.session_security_key.b64_std))}"
19 | }
20 |
--------------------------------------------------------------------------------
/demo/infrastructure/modules/digitalocean-cluster/cluster.tf:
--------------------------------------------------------------------------------
1 | variable "region" {}
2 | variable "suffix" {}
3 | variable "cluster_version" {}
4 |
5 | locals {
6 | cluster_name = "cluster-${var.suffix}"
7 | }
8 |
9 | resource "digitalocean_kubernetes_cluster" "cluster" {
10 | name = "${local.cluster_name}"
11 | version = "${var.cluster_version}"
12 | region = "${var.region}"
13 |
14 | node_pool {
15 | name = "default-pool"
16 | size = "s-2vcpu-2gb"
17 | node_count = 3
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/test/util/strings.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package util
3 |
4 | import "sort"
5 |
6 | func StringSlicesEqual(s1, s2 []string) bool {
7 | if len(s1) != len(s2) {
8 | return false
9 | }
10 |
11 | s12, s22 := make([]string, len(s1)), make([]string, len(s2))
12 |
13 | copy(s12, s1)
14 | copy(s22, s2)
15 |
16 | sort.Strings(s12)
17 | sort.Strings(s22)
18 |
19 | for i, s := range s12 {
20 | if s != s22[i] {
21 | return false
22 | }
23 | }
24 |
25 | return true
26 | }
27 |
--------------------------------------------------------------------------------
/deploy/charts/kube-oidc-proxy/templates/tests/test-connection.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "{{ include "kube-oidc-proxy.fullname" . }}-test-connection"
5 | labels:
6 | {{ include "kube-oidc-proxy.labels" . | indent 4 }}
7 | annotations:
8 | "helm.sh/hook": test-success
9 | spec:
10 | containers:
11 | - name: wget
12 | image: busybox
13 | command: ['wget']
14 | args: ['{{ include "kube-oidc-proxy.fullname" . }}:{{ .Values.service.port }}']
15 | restartPolicy: Never
16 |
--------------------------------------------------------------------------------
/test/e2e/framework/helper/helper.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package helper
3 |
4 | import (
5 | "k8s.io/client-go/kubernetes"
6 |
7 | "github.com/jetstack/kube-oidc-proxy/test/e2e/framework/config"
8 | )
9 |
10 | // Helper provides methods for common operations needed during tests.
11 | type Helper struct {
12 | cfg *config.Config
13 |
14 | KubeClient kubernetes.Interface
15 | }
16 |
17 | func NewHelper(cfg *config.Config) *Helper {
18 | return &Helper{
19 | cfg: cfg,
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/demo/infrastructure/amazon/providers.tf:
--------------------------------------------------------------------------------
1 | variable "aws_region" {
2 | default = "eu-west-1"
3 | }
4 |
5 | variable "cloud" {
6 | default = "amazon"
7 | }
8 |
9 | variable "cluster_version" {
10 | default = "1.14"
11 | }
12 |
13 | provider "aws" {
14 | region = "${var.aws_region}"
15 | }
16 |
17 | module "cluster" {
18 | source = "../modules/amazon-cluster"
19 | suffix = "${random_id.suffix.hex}"
20 |
21 | cluster_version = "${var.cluster_version}"
22 | }
23 |
24 | variable "ca_crt_file" {}
25 | variable "ca_key_file" {}
26 |
--------------------------------------------------------------------------------
/deploy/charts/kube-oidc-proxy/templates/clusterrolebinding.yaml:
--------------------------------------------------------------------------------
1 | kind: ClusterRoleBinding
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | metadata:
4 | labels:
5 | {{ include "kube-oidc-proxy.labels" . | indent 4 }}
6 | name: {{ include "kube-oidc-proxy.fullname" . }}
7 | roleRef:
8 | apiGroup: rbac.authorization.k8s.io
9 | kind: ClusterRole
10 | name: {{ include "kube-oidc-proxy.fullname" . }}
11 | subjects:
12 | - kind: ServiceAccount
13 | name: {{ include "kube-oidc-proxy.fullname" . }}
14 | namespace: {{ .Release.Namespace }}
15 |
--------------------------------------------------------------------------------
/deploy/yaml/secrets.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | data:
3 | tls.crt: {{ SERVING_TLS_CERT }}
4 | tls.key: {{ SERVING_TLS_KEY }}
5 | kind: Secret
6 | metadata:
7 | name: kube-oidc-proxy-tls
8 | namespace: kube-oidc-proxy
9 | type: kubernetes.io/tls
10 | ---
11 | apiVersion: v1
12 | data:
13 | oidc.ca-pem: {{ OIDC_CA }}
14 | oidc.issuer-url: {{ OIDC_ISSUER_URL }}
15 | oidc.username-claim: {{ OIDC_USERNAME_CLAIM }}
16 | oidc.client-id: {{ OIDC_CLIENT_ID }}
17 | kind: Secret
18 | metadata:
19 | name: kube-oidc-proxy-config
20 | namespace: kube-oidc-proxy
21 | type: Opaque
22 |
--------------------------------------------------------------------------------
/docs/tasks/no-impersonation.md:
--------------------------------------------------------------------------------
1 | # No Impersonation
2 |
3 | kube-oidc-proxy can be configured to disable impersonation. When a request has
4 | been successfully authenticated, the request is forwarded as-is, without changes
5 | to the HTTP header and no authentication injected by the proxy. The OIDC
6 | bearer token is also kept in the request. This can be useful for securing
7 | endpoints that do not provide OIDC or any authentication methods and do not
8 | implement any authorization.
9 |
10 | To disable impersonation, provide the following flag:
11 |
12 | ```
13 | --disable-impersonation
14 | ```
15 |
--------------------------------------------------------------------------------
/deploy/charts/kube-oidc-proxy/templates/poddisruptionbudget.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.podDisruptionBudget.enabled -}}
2 | apiVersion: policy/v1
3 | kind: PodDisruptionBudget
4 | metadata:
5 | name: {{ include "kube-oidc-proxy.fullname" . }}
6 | namespace: {{ $.Release.Namespace }}
7 | labels:
8 | {{ include "kube-oidc-proxy.labels" . | indent 4 }}
9 | spec:
10 | minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: {{ include "kube-oidc-proxy.name" . }}
14 | app.kubernetes.io/instance: {{ .Release.Name }}
15 | {{- end }}
16 |
--------------------------------------------------------------------------------
/hack/boilerplate/test/pass.go:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright 2014 The Kubernetes Authors.
3 |
4 | Licensed under the Apache License, Version 2.0 (the "License");
5 | you may not use this file except in compliance with the License.
6 | You may obtain a copy of the License at
7 |
8 | http://www.apache.org/licenses/LICENSE-2.0
9 |
10 | Unless required by applicable law or agreed to in writing, software
11 | distributed under the License is distributed on an "AS IS" BASIS,
12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | See the License for the specific language governing permissions and
14 | limitations under the License.
15 | */
16 |
17 | package main
18 |
--------------------------------------------------------------------------------
/cmd/app/options/audit.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package options
3 |
4 | import (
5 | "github.com/spf13/pflag"
6 | apiserveroptions "k8s.io/apiserver/pkg/server/options"
7 | cliflag "k8s.io/component-base/cli/flag"
8 | )
9 |
10 | type AuditOptions struct {
11 | *apiserveroptions.AuditOptions
12 | }
13 |
14 | func NewAuditOptions(nfs *cliflag.NamedFlagSets) *AuditOptions {
15 | a := &AuditOptions{
16 | AuditOptions: apiserveroptions.NewAuditOptions(),
17 | }
18 |
19 | return a.AddFlags(nfs.FlagSet("Audit"))
20 | }
21 |
22 | func (a *AuditOptions) AddFlags(fs *pflag.FlagSet) *AuditOptions {
23 | a.AuditOptions.AddFlags(fs)
24 | return a
25 | }
26 |
--------------------------------------------------------------------------------
/hack/boilerplate/test/fail.go:
--------------------------------------------------------------------------------
1 | /*
2 | Copyright 2014 The Kubernetes Authors.
3 |
4 | fail
5 |
6 | Licensed under the Apache License, Version 2.0 (the "License");
7 | you may not use this file except in compliance with the License.
8 | You may obtain a copy of the License at
9 |
10 | http://www.apache.org/licenses/LICENSE-2.0
11 |
12 | Unless required by applicable law or agreed to in writing, software
13 | distributed under the License is distributed on an "AS IS" BASIS,
14 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 | See the License for the specific language governing permissions and
16 | limitations under the License.
17 | */
18 |
19 | package main
20 |
--------------------------------------------------------------------------------
/demo/manifests/vendor/kube-prod-runtime/components/images.json:
--------------------------------------------------------------------------------
1 | {
2 | "alertmanager": "bitnami/alertmanager:0.15.3-r43",
3 | "cert-manager": "bitnami/cert-manager:0.5.2-r37",
4 | "configmap-reload": "jimmidyson/configmap-reload:v0.2.2",
5 | "elasticsearch": "bitnami/elasticsearch:5.6.15-r0",
6 | "external-dns": "bitnami/external-dns:0.5.11-r1",
7 | "fluentd": "bitnami/fluentd:1.3.3-r23",
8 | "grafana": "bitnami/grafana:5.4.3-r18",
9 | "kibana": "bitnami/kibana:5.6.15-r0",
10 | "nginx-ingress-controller": "bitnami/nginx-ingress-controller:0.21.0-r12",
11 | "oauth2_proxy": "bitnami/oauth2-proxy:3.0.0-r0",
12 | "prometheus": "bitnami/prometheus:2.6.1-r12"
13 | }
14 |
--------------------------------------------------------------------------------
/pkg/util/signals.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package util
3 |
4 | import (
5 | "os"
6 | "os/signal"
7 | "syscall"
8 |
9 | "k8s.io/klog/v2"
10 | )
11 |
12 | func SignalHandler() chan struct{} {
13 | stopCh := make(chan struct{})
14 | ch := make(chan os.Signal, 2)
15 | signal.Notify(ch, syscall.SIGINT, syscall.SIGTERM)
16 |
17 | go func() {
18 | sig := <-ch
19 |
20 | close(stopCh)
21 |
22 | for i := 0; i < 3; i++ {
23 | klog.V(0).Infof("received signal %s, shutting down gracefully...", sig)
24 | sig = <-ch
25 | }
26 |
27 | klog.V(0).Infof("received signal %s, force closing", sig)
28 |
29 | os.Exit(1)
30 | }()
31 |
32 | return stopCh
33 | }
34 |
--------------------------------------------------------------------------------
/hack/boilerplate/test/pass.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | # Copyright 2015 The Kubernetes Authors.
4 | #
5 | # Licensed under the Apache License, Version 2.0 (the "License");
6 | # you may not use this file except in compliance with the License.
7 | # You may obtain a copy of the License at
8 | #
9 | # http://www.apache.org/licenses/LICENSE-2.0
10 | #
11 | # Unless required by applicable law or agreed to in writing, software
12 | # distributed under the License is distributed on an "AS IS" BASIS,
13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 | # See the License for the specific language governing permissions and
15 | # limitations under the License.
16 |
17 | True
18 |
--------------------------------------------------------------------------------
/test/e2e/suite/cases/doc.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package cases
3 |
4 | import (
5 | _ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/audit"
6 | _ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/headers"
7 | _ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/impersonation"
8 | _ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/passthrough"
9 | _ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/probe"
10 | _ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/rbac"
11 | _ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/token"
12 | _ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases/upgrade"
13 | )
14 |
--------------------------------------------------------------------------------
/hack/boilerplate/test/fail.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | # Copyright 2015 The Kubernetes Authors.
4 | #
5 | # failed
6 | #
7 | # Licensed under the Apache License, Version 2.0 (the "License");
8 | # you may not use this file except in compliance with the License.
9 | # You may obtain a copy of the License at
10 | #
11 | # http://www.apache.org/licenses/LICENSE-2.0
12 | #
13 | # Unless required by applicable law or agreed to in writing, software
14 | # distributed under the License is distributed on an "AS IS" BASIS,
15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 | # See the License for the specific language governing permissions and
17 | # limitations under the License.
18 |
--------------------------------------------------------------------------------
/demo/infrastructure/amazon/outputs.tf:
--------------------------------------------------------------------------------
1 | locals {
2 | config = {
3 | cert_manager = "${data.external.cert_manager.result}"
4 | externaldns = "${data.external.externaldns.result}"
5 | gangway = "${module.gangway.config}"
6 |
7 | ca = {
8 | key = "${module.ca.key}"
9 | crt = "${module.ca.crt}"
10 | }
11 | }
12 | }
13 |
14 | output "config" {
15 | value = "${jsonencode(local.config)}"
16 | }
17 |
18 | output "kubeconfig_command" {
19 | value = "cp infrastructure/${var.cloud}/kubeconfig_cluster-${random_id.suffix.hex} $KUBECONFIG"
20 | }
21 |
22 | output "kubeconfig" {
23 | description = "kubectl config as generated by the module."
24 | value = "${module.cluster.kubeconfig}"
25 | }
26 |
--------------------------------------------------------------------------------
/demo/infrastructure/digitalocean/outputs.tf:
--------------------------------------------------------------------------------
1 | locals {
2 | config = {
3 | cert_manager = "${data.external.cert_manager.result}"
4 | externaldns = "${data.external.externaldns.result}"
5 | gangway = "${module.gangway.config}"
6 |
7 | ca = {
8 | key = "${module.ca.key}"
9 | crt = "${module.ca.crt}"
10 | }
11 | }
12 | }
13 |
14 | output "config" {
15 | value = "${jsonencode(local.config)}"
16 | }
17 |
18 | output "kubeconfig_command" {
19 | value = "cd infrastructure/digitalocean/ && terraform output kubeconfig > $$KUBECONFIG"
20 | }
21 |
22 | output "kubeconfig" {
23 | description = "kubectl config as generated by the module."
24 | value = "${module.cluster.kubeconfig}"
25 | }
26 |
--------------------------------------------------------------------------------
/test/e2e/framework/config/config.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package config
3 |
4 | import (
5 | "errors"
6 |
7 | utilerrors "k8s.io/apimachinery/pkg/util/errors"
8 |
9 | "github.com/jetstack/kube-oidc-proxy/test/environment"
10 | )
11 |
12 | type Config struct {
13 | KubeConfigPath string
14 | Kubectl string
15 |
16 | RepoRoot string
17 |
18 | Environment *environment.Environment
19 | }
20 |
21 | func (c *Config) Validate() error {
22 | var errs []error
23 |
24 | if c.KubeConfigPath == "" {
25 | errs = append(errs, errors.New("kubeconfig path not defined"))
26 | }
27 |
28 | if c.RepoRoot == "" {
29 | errs = append(errs, errors.New("repo root not defined"))
30 | }
31 |
32 | return utilerrors.NewAggregate(errs)
33 | }
34 |
--------------------------------------------------------------------------------
/demo/manifests/vendor/kube-prod-runtime/components/elasticsearch-config/java.security:
--------------------------------------------------------------------------------
1 | #
2 | # This is an alternate "security properties file".
3 | #
4 | # An alternate java.security properties file may be specified
5 | # from the command line via the system property
6 | #
7 | # -Djava.security.properties=
8 | #
9 |
10 | # The JVM defaults to caching positive hostname resolutions indefinitely.
11 | # Elasticsearch nodes rely on DNS (Kubernetes headless service), where DNS
12 | # resolutions vary with time (e.g., for node-to-node discovery). This
13 | # behaviour can be modified by adding networkaddress.cache.ttl=
14 | # to an alternate Java security properties file.
15 | # https://www.elastic.co/guide/en/elasticsearch/reference/6.3/networkaddress-cache-ttl.html
16 | networkaddress.cache.ttl=60
17 |
--------------------------------------------------------------------------------
/demo/manifests/vendor/kube-prod-runtime/components/fluentd-es-config/output.conf:
--------------------------------------------------------------------------------
1 | # Enriches records with Kubernetes metadata
2 |
3 | @type kubernetes_metadata
4 |
5 |
6 |
7 | @id elasticsearch
8 | @type elasticsearch
9 | @log_level info
10 | type_name fluentd
11 | include_tag_key true
12 | host "#{ENV['ES_HOST']}"
13 | port 9200
14 | logstash_format true
15 |
16 | @type file
17 | path /var/log/fluentd-buffers/kubernetes.system.buffer
18 | flush_mode interval
19 | retry_type exponential_backoff
20 | flush_thread_count 2
21 | flush_interval 5s
22 | retry_forever
23 | retry_max_interval 30
24 | chunk_limit_size 2M
25 | queue_limit_length 8
26 | overflow_action block
27 |
28 |
29 |
--------------------------------------------------------------------------------
/demo/manifests/vendor/kube-prod-runtime/components/fluentd-es-config/monitoring.conf:
--------------------------------------------------------------------------------
1 | # Prometheus Exporter Plugin
2 | # input plugin that exports metrics
3 |
4 | @type prometheus
5 |
6 |
7 |
8 | @type monitor_agent
9 |
10 |
11 | # input plugin that collects metrics from MonitorAgent
12 |
13 | @type prometheus_monitor
14 |
15 | host ${hostname}
16 |
17 |
18 |
19 | # input plugin that collects metrics for output plugin
20 |
21 | @type prometheus_output_monitor
22 |
23 | host ${hostname}
24 |
25 |
26 |
27 | # input plugin that collects metrics for in_tail plugin
28 |
29 | @type prometheus_tail_monitor
30 |
31 | host ${hostname}
32 |
33 |
34 |
--------------------------------------------------------------------------------
/demo/infrastructure/google/output.tf:
--------------------------------------------------------------------------------
1 | locals {
2 | config = {
3 | cert_manager = "${module.dns.config}"
4 | externaldns = "${module.dns.config}"
5 | gangway = "${module.gangway.config}"
6 |
7 | ca = {
8 | key = "${module.ca.key}"
9 | crt = "${module.ca.crt}"
10 | }
11 | }
12 | }
13 |
14 | output "config" {
15 | value = "${jsonencode(local.config)}"
16 | }
17 |
18 | # This fetches KUBECONFIG and grants full cluster admin access to the current user
19 | output "kubeconfig_command" {
20 | value = "gcloud container clusters get-credentials ${module.cluster.name} --zone ${var.google_zone} --project ${module.cluster.project} && kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value account) --dry-run -o yaml | kubectl apply -f -"
21 | }
22 |
--------------------------------------------------------------------------------
/deploy/charts/kube-oidc-proxy/templates/clusterrole.yaml:
--------------------------------------------------------------------------------
1 | kind: ClusterRole
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | metadata:
4 | labels:
5 | {{ include "kube-oidc-proxy.labels" . | indent 4 }}
6 | name: {{ include "kube-oidc-proxy.fullname" . }}
7 | rules:
8 | - apiGroups:
9 | - ""
10 | resources:
11 | - "users"
12 | - "groups"
13 | - "serviceaccounts"
14 | verbs:
15 | - "impersonate"
16 | - apiGroups:
17 | - "authentication.k8s.io"
18 | resources:
19 | - "userextras/scopes"
20 | - "userextras/remote-client-ip"
21 | - "tokenreviews"
22 | # to support end user impersonation
23 | - "userextras/authentication.kubernetes.io/credential-id"
24 | - "userextras/originaluser.jetstack.io-user"
25 | - "userextras/originaluser.jetstack.io-groups"
26 | - "userextras/originaluser.jetstack.io-extra"
27 | verbs:
28 | - "create"
29 | - "impersonate"
30 |
--------------------------------------------------------------------------------
/deploy/charts/kube-oidc-proxy/templates/service.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: {{ include "kube-oidc-proxy.fullname" . }}
5 | labels:
6 | {{ include "kube-oidc-proxy.labels" . | indent 4 }}
7 | annotations:
8 | {{- range $key, $val := .Values.service.annotations }}
9 | {{ $key }}: {{ $val | quote }}
10 | {{- end }}
11 | spec:
12 | type: {{ .Values.service.type }}
13 | {{- if .Values.service.loadBalancerIP }}
14 | loadBalancerIP: "{{ .Values.service.loadBalancerIP }}"
15 | {{- end }}
16 | {{- if .Values.service.loadBalancerSourceRanges }}
17 | loadBalancerSourceRanges:
18 | {{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }}
19 | {{- end }}
20 | ports:
21 | - port: {{ .Values.service.port }}
22 | targetPort: 8443
23 | protocol: TCP
24 | name: https
25 | selector:
26 | app.kubernetes.io/name: {{ include "kube-oidc-proxy.name" . }}
27 | app.kubernetes.io/instance: {{ .Release.Name }}
28 |
--------------------------------------------------------------------------------
/demo/infrastructure/modules/google-dns/dns.tf:
--------------------------------------------------------------------------------
1 | variable "suffix" {}
2 |
3 | resource "google_service_account" "external_dns" {
4 | account_id = "external-dns-${var.suffix}"
5 | display_name = "External DNS/Cert Manager service account for GKE cluster cluster-${var.suffix}"
6 | }
7 |
8 | # https://github.com/kubernetes-incubator/external-dns/blob/v0.4.0/docs/tutorials/gke.md#set-up-your-environment
9 | resource "google_project_iam_member" "dns_admin" {
10 | role = "roles/dns.admin"
11 | member = "serviceAccount:${google_service_account.external_dns.email}"
12 | }
13 |
14 | resource "google_service_account_key" "external_dns" {
15 | service_account_id = "${google_service_account.external_dns.account_id}"
16 | }
17 |
18 | output "config" {
19 | value = {
20 | service_account_credentials = "${base64decode(google_service_account_key.external_dns.private_key)}"
21 |
22 | project = "${google_service_account.external_dns.project}"
23 | provider = "google"
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/pkg/proxy/audit/handler.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package audit
3 |
4 | import (
5 | "net/http"
6 | )
7 |
8 | // This struct is used to implement an http.Handler interface. This will not
9 | // actually serve but instead implements auditing during unauthenticated
10 | // requests. It is expected that consumers of this type will call `ServeHTTP`
11 | // when an unauthenticated request is received.
12 | type unauthenticatedHandler struct {
13 | serveFunc func(http.ResponseWriter, *http.Request)
14 | }
15 |
16 | func NewUnauthenticatedHandler(a *Audit, serveFunc func(http.ResponseWriter, *http.Request)) http.Handler {
17 | u := &unauthenticatedHandler{
18 | serveFunc: serveFunc,
19 | }
20 |
21 | // if auditor is nil then return without wrapping
22 | if a == nil {
23 | return u
24 | }
25 |
26 | return a.WithUnauthorized(u)
27 | }
28 |
29 | func (u *unauthenticatedHandler) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
30 | u.serveFunc(rw, r)
31 | }
32 |
--------------------------------------------------------------------------------
/cmd/app/options/serving.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package options
3 |
4 | import (
5 | "net"
6 |
7 | "github.com/spf13/pflag"
8 | apiserveroptions "k8s.io/apiserver/pkg/server/options"
9 | cliflag "k8s.io/component-base/cli/flag"
10 | )
11 |
12 | type SecureServingOptions struct {
13 | *apiserveroptions.SecureServingOptions
14 | }
15 |
16 | func NewSecureServingOptions(nfs *cliflag.NamedFlagSets) *SecureServingOptions {
17 | s := &SecureServingOptions{
18 | SecureServingOptions: &apiserveroptions.SecureServingOptions{
19 | BindAddress: net.ParseIP("0.0.0.0"),
20 | BindPort: 6443,
21 | Required: true,
22 | ServerCert: apiserveroptions.GeneratableKeyCert{
23 | PairName: AppName,
24 | CertDirectory: "/var/run/kubernetes",
25 | },
26 | },
27 | }
28 |
29 | return s.AddFlags(nfs.FlagSet("Secure Serving"))
30 | }
31 |
32 | func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) *SecureServingOptions {
33 | s.SecureServingOptions.AddFlags(fs)
34 | return s
35 | }
36 |
--------------------------------------------------------------------------------
/hack/version-ldflags.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | # Copyright 2017 The Kubernetes Authors.
3 | #
4 | # Licensed under the Apache License, Version 2.0 (the "License");
5 | # you may not use this file except in compliance with the License.
6 | # You may obtain a copy of the License at
7 | #
8 | # http://www.apache.org/licenses/LICENSE-2.0
9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 |
16 | # This command is used by bazel as the workspace_status_command
17 | # to implement build stamping with git information.
18 |
19 | set -o errexit
20 | set -o nounset
21 | set -o pipefail
22 |
23 | export KUBE_ROOT=$(dirname "${BASH_SOURCE}")/..
24 |
25 | source "${KUBE_ROOT}/hack/lib/version.sh"
26 | KUBE_GO_PACKAGE=github.com/jetstack/kube-oidc-proxy
27 | kube::version::ldflags
28 |
--------------------------------------------------------------------------------
/test/e2e/framework/helper/requester.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package helper
3 |
4 | import (
5 | "fmt"
6 | "io/ioutil"
7 | "net/http"
8 | )
9 |
10 | type Requester struct {
11 | transport http.RoundTripper
12 | token string
13 | client *http.Client
14 | }
15 |
16 | func (h *Helper) NewRequester(transport http.RoundTripper, token string) *Requester {
17 | r := &Requester{
18 | token: token,
19 | transport: transport,
20 | }
21 |
22 | r.client = http.DefaultClient
23 | r.client.Transport = r
24 |
25 | return r
26 | }
27 |
28 | func (r *Requester) RoundTrip(req *http.Request) (*http.Response, error) {
29 | req.Header.Add("Authorization", fmt.Sprintf("bearer %s", r.token))
30 | return r.transport.RoundTrip(req)
31 | }
32 |
33 | func (r *Requester) Get(target string) ([]byte, *http.Response, error) {
34 | resp, err := r.client.Get(target)
35 | if err != nil {
36 | return nil, nil, err
37 | }
38 |
39 | body, err := ioutil.ReadAll(resp.Body)
40 | if err != nil {
41 | return nil, nil, err
42 | }
43 |
44 | return body, resp, nil
45 | }
46 |
--------------------------------------------------------------------------------
/docs/tasks/token-passthrough.md:
--------------------------------------------------------------------------------
1 | # Token Passthrough
2 |
3 | kube-oidc-proxy can be configured to enable 'token passthrough' for tokens that
4 | fail OIDC authentication. If enabled, kube-oidc-proxy will perform a [token
5 | review](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication)
6 | API call to the configured target backend using the Kubernetes API. If
7 | successful, the request will be passed through as-is, with the token intact in
8 | the request and no other authentication used by kube-oidc-proxy.
9 |
10 | To enable token passthrough, include the following flag:
11 |
12 | ```
13 | --token-passthrough
14 | ```
15 |
16 | In the case of the Kubernetes API server, the authenticator, if audience aware,
17 | will validate the audiences of tokens using the audience of the API server. A
18 | new set of audiences can also be given which will be used to validate the token
19 | against. At least one of these audiences need to be present in the audiences of
20 | the token to be successful:
21 |
22 | ```
23 | ---token-passthrough-audiences=aud1.foo.bar,aud2.foo.bar
24 | ```
25 |
--------------------------------------------------------------------------------
/demo/manifests/components/landingpage/google.svg:
--------------------------------------------------------------------------------
1 |
11 |
--------------------------------------------------------------------------------
/pkg/proxy/hooks/hooks.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package hooks
3 |
4 | import (
5 | "fmt"
6 | "sync"
7 |
8 | k8sErrors "k8s.io/apimachinery/pkg/util/errors"
9 | )
10 |
11 | type Hooks struct {
12 | preShutdownHooks map[string]ShutdownHook
13 | preShutdownHookLock sync.Mutex
14 | }
15 |
16 | type ShutdownHook func() error
17 |
18 | func New() *Hooks {
19 | return &Hooks{
20 | preShutdownHooks: make(map[string]ShutdownHook),
21 | }
22 | }
23 |
24 | func (h *Hooks) AddPreShutdownHook(name string, hook ShutdownHook) {
25 | h.preShutdownHookLock.Lock()
26 | defer h.preShutdownHookLock.Unlock()
27 |
28 | h.preShutdownHooks[name] = hook
29 | }
30 |
31 | // RunPreShutdownHooks runs the PreShutdownHooks for the server
32 | func (h *Hooks) RunPreShutdownHooks() error {
33 | var errs []error
34 |
35 | h.preShutdownHookLock.Lock()
36 | defer h.preShutdownHookLock.Unlock()
37 |
38 | for name, entry := range h.preShutdownHooks {
39 | if err := entry(); err != nil {
40 | errs = append(errs, fmt.Errorf("PreShutdownHook %q failed: %v", name, err))
41 | }
42 | }
43 |
44 | return k8sErrors.NewAggregate(errs)
45 | }
46 |
--------------------------------------------------------------------------------
/hack/verify-boilerplate.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Copyright 2014 The Kubernetes Authors.
4 | #
5 | # Licensed under the Apache License, Version 2.0 (the "License");
6 | # you may not use this file except in compliance with the License.
7 | # You may obtain a copy of the License at
8 | #
9 | # http://www.apache.org/licenses/LICENSE-2.0
10 | #
11 | # Unless required by applicable law or agreed to in writing, software
12 | # distributed under the License is distributed on an "AS IS" BASIS,
13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 | # See the License for the specific language governing permissions and
15 | # limitations under the License.
16 |
17 | set -o errexit
18 | set -o nounset
19 | set -o pipefail
20 |
21 | KUBE_ROOT=$(dirname "${BASH_SOURCE}")/..
22 |
23 | boilerDir="${KUBE_ROOT}/hack/boilerplate"
24 | boiler="${boilerDir}/boilerplate.py"
25 |
26 | files_need_boilerplate=($(${boiler} "$@"))
27 |
28 | # Run boilerplate check
29 | if [[ ${#files_need_boilerplate[@]} -gt 0 ]]; then
30 | for file in "${files_need_boilerplate[@]}"; do
31 | echo "Boilerplate header is wrong for: ${file}"
32 | done
33 |
34 | exit 1
35 | fi
36 |
--------------------------------------------------------------------------------
/test/tools/issuer/cmd/main.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package main
3 |
4 | import (
5 | "fmt"
6 | "os"
7 |
8 | "github.com/spf13/cobra"
9 |
10 | "github.com/jetstack/kube-oidc-proxy/pkg/util"
11 | "github.com/jetstack/kube-oidc-proxy/test/tools/issuer/cmd/options"
12 | "github.com/jetstack/kube-oidc-proxy/test/tools/issuer/pkg/issuer"
13 | )
14 |
15 | func main() {
16 | opts := new(options.Options)
17 | stopCh := util.SignalHandler()
18 |
19 | cmd := &cobra.Command{
20 | Use: "oidc-issuer",
21 | Short: "A very basic OIDC issuer to present a well-known endpoint.",
22 | RunE: func(cmd *cobra.Command, args []string) error {
23 |
24 | iss, err := issuer.New(opts.IssuerURL, opts.KeyFile, opts.CertFile, stopCh)
25 | if err != nil {
26 | return err
27 | }
28 |
29 | compCh, err := iss.Run(opts.BindAddress, opts.ListenPort)
30 | if err != nil {
31 | return err
32 | }
33 |
34 | <-compCh
35 |
36 | return nil
37 | },
38 | }
39 |
40 | opts.AddFlags(cmd)
41 |
42 | if err := cmd.Execute(); err != nil {
43 | fmt.Fprintf(os.Stderr, "%s\n", err.Error())
44 | os.Exit(1)
45 | }
46 |
47 | os.Exit(0)
48 | }
49 |
--------------------------------------------------------------------------------
/test/tools/fake-apiserver/cmd/options/options.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package options
3 |
4 | import (
5 | "github.com/spf13/cobra"
6 | )
7 |
8 | type Options struct {
9 | BindAddress string
10 | ListenPort string
11 |
12 | KeyFile string
13 | CertFile string
14 | }
15 |
16 | func (o *Options) AddFlags(cmd *cobra.Command) {
17 | cmd.PersistentFlags().StringVar(&o.BindAddress, "bind-address",
18 | "0.0.0.0", "Bound Address to listen and serve on.")
19 |
20 | cmd.PersistentFlags().StringVar(&o.ListenPort, "secure-port",
21 | "6443", "Port to serve HTTPS.")
22 | o.must(cmd.MarkPersistentFlagRequired("secure-port"))
23 |
24 | cmd.PersistentFlags().StringVar(&o.KeyFile, "tls-private-key-file",
25 | "/etc/apiserver/key.pem", "File location to key for serving.")
26 | o.must(cmd.MarkPersistentFlagRequired("tls-private-key-file"))
27 |
28 | cmd.PersistentFlags().StringVar(&o.CertFile, "tls-cert-file",
29 | "/etc/apiserver/key.pem", "File location to certificate for serving.")
30 | o.must(cmd.MarkPersistentFlagRequired("tls-cert-file"))
31 | }
32 |
33 | func (o *Options) must(err error) {
34 | if err != nil {
35 | panic(err)
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/test/tools/audit-webhook/cmd/main.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package main
3 |
4 | import (
5 | "fmt"
6 | "os"
7 |
8 | "github.com/spf13/cobra"
9 |
10 | "github.com/jetstack/kube-oidc-proxy/pkg/util"
11 | "github.com/jetstack/kube-oidc-proxy/test/tools/audit-webhook/cmd/options"
12 | "github.com/jetstack/kube-oidc-proxy/test/tools/audit-webhook/pkg/sink"
13 | )
14 |
15 | func main() {
16 | opts := new(options.Options)
17 | stopCh := util.SignalHandler()
18 |
19 | cmd := &cobra.Command{
20 | Use: "audit-webhook",
21 | Short: "An server that implements a Kubernetes audit webhook sink",
22 | RunE: func(cmd *cobra.Command, args []string) error {
23 |
24 | wh, err := sink.New(opts.LogPath, opts.KeyFile, opts.CertFile, stopCh)
25 | if err != nil {
26 | return err
27 | }
28 |
29 | compCh, err := wh.Run(opts.BindAddress, opts.ListenPort)
30 | if err != nil {
31 | return err
32 | }
33 |
34 | <-compCh
35 |
36 | return nil
37 | },
38 | }
39 |
40 | opts.AddFlags(cmd)
41 |
42 | if err := cmd.Execute(); err != nil {
43 | fmt.Fprintf(os.Stderr, "%s\n", err.Error())
44 | os.Exit(1)
45 | }
46 |
47 | os.Exit(0)
48 | }
49 |
--------------------------------------------------------------------------------
/test/tools/fake-apiserver/cmd/main.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package main
3 |
4 | import (
5 | "fmt"
6 | "os"
7 |
8 | "github.com/spf13/cobra"
9 |
10 | "github.com/jetstack/kube-oidc-proxy/pkg/util"
11 | "github.com/jetstack/kube-oidc-proxy/test/tools/fake-apiserver/cmd/options"
12 | "github.com/jetstack/kube-oidc-proxy/test/tools/fake-apiserver/pkg/server"
13 | )
14 |
15 | func main() {
16 | opts := new(options.Options)
17 | stopCh := util.SignalHandler()
18 |
19 | cmd := &cobra.Command{
20 | Use: "fake-apiserver",
21 | Short: "A fake apiserver that will respond to requests with the same body and headers",
22 | RunE: func(cmd *cobra.Command, args []string) error {
23 | server, err := server.New(opts.KeyFile, opts.CertFile, stopCh)
24 | if err != nil {
25 | return err
26 | }
27 |
28 | compCh, err := server.Run(opts.BindAddress, opts.ListenPort)
29 | if err != nil {
30 | return err
31 | }
32 |
33 | <-compCh
34 |
35 | return nil
36 | },
37 | }
38 |
39 | opts.AddFlags(cmd)
40 |
41 | if err := cmd.Execute(); err != nil {
42 | fmt.Fprintf(os.Stderr, "%s\n", err.Error())
43 | os.Exit(1)
44 | }
45 |
46 | os.Exit(0)
47 | }
48 |
--------------------------------------------------------------------------------
/pkg/proxy/tokenreview/fake/tokenreview.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package fake
3 |
4 | import (
5 | "context"
6 |
7 | authv1 "k8s.io/api/authentication/v1"
8 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
9 | clientauthv1 "k8s.io/client-go/kubernetes/typed/authentication/v1"
10 | )
11 |
12 | var _ clientauthv1.TokenReviewInterface = &FakeReviewer{}
13 |
14 | type FakeReviewer struct {
15 | CreateFn func(*authv1.TokenReview) (*authv1.TokenReview, error)
16 | }
17 |
18 | func New() *FakeReviewer {
19 | return &FakeReviewer{
20 | CreateFn: func(*authv1.TokenReview) (*authv1.TokenReview, error) {
21 | return nil, nil
22 | },
23 | }
24 | }
25 |
26 | func (f *FakeReviewer) Create(ctx context.Context, req *authv1.TokenReview, co metav1.CreateOptions) (*authv1.TokenReview, error) {
27 | return f.CreateFn(req)
28 | }
29 |
30 | func (f *FakeReviewer) CreateContext(ctx context.Context, req *authv1.TokenReview) (*authv1.TokenReview, error) {
31 | return f.CreateFn(req)
32 | }
33 |
34 | func (f *FakeReviewer) WithCreate(req *authv1.TokenReview, err error) *FakeReviewer {
35 | f.CreateFn = func(*authv1.TokenReview) (*authv1.TokenReview, error) {
36 | return req, err
37 | }
38 |
39 | return f
40 | }
41 |
--------------------------------------------------------------------------------
/deploy/charts/kube-oidc-proxy/templates/ingress.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.ingress.enabled -}}
2 | {{- $fullName := include "kube-oidc-proxy.fullname" . -}}
3 | apiVersion: networking.k8s.io/v1
4 | kind: Ingress
5 | metadata:
6 | name: {{ $fullName }}
7 | labels:
8 | {{ include "kube-oidc-proxy.labels" . | indent 4 }}
9 | {{- with .Values.ingress.annotations }}
10 | annotations:
11 | {{- toYaml . | nindent 4 }}
12 | {{- end }}
13 | spec:
14 | {{- if .Values.ingress.tls }}
15 | tls:
16 | {{- range .Values.ingress.tls }}
17 | - hosts:
18 | {{- range .hosts }}
19 | - {{ . | quote }}
20 | {{- end }}
21 | secretName: {{ .secretName }}
22 | {{- end }}
23 | {{- end }}
24 | {{- if .Values.ingress.ingressClassName }}
25 | ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
26 | {{- end }}
27 | rules:
28 | {{- range .Values.ingress.hosts }}
29 | - host: {{ .host | quote }}
30 | http:
31 | paths:
32 | {{- range .paths }}
33 | - path: {{ . }}
34 | pathType: Prefix
35 | backend:
36 | service:
37 | name: {{ $fullName }}
38 | port:
39 | name: https
40 | {{- end }}
41 | {{- end }}
42 | {{- end }}
43 |
--------------------------------------------------------------------------------
/test/tools/audit-webhook/cmd/options/options.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package options
3 |
4 | import (
5 | "github.com/spf13/cobra"
6 | )
7 |
8 | type Options struct {
9 | BindAddress string
10 | ListenPort string
11 |
12 | LogPath string
13 |
14 | KeyFile string
15 | CertFile string
16 | }
17 |
18 | func (o *Options) AddFlags(cmd *cobra.Command) {
19 | cmd.PersistentFlags().StringVar(&o.BindAddress, "bind-address",
20 | "0.0.0.0", "Bound Address to listen and serve on.")
21 |
22 | cmd.PersistentFlags().StringVar(&o.ListenPort, "secure-port",
23 | "6443", "Port to serve HTTPS.")
24 |
25 | cmd.PersistentFlags().StringVar(&o.LogPath, "audit-file-path",
26 | "/var/log/audit", "Filepath to write audit logs to.")
27 |
28 | cmd.PersistentFlags().StringVar(&o.KeyFile, "tls-private-key-file",
29 | "/etc/oidc/key.pem", "File location to key for serving.")
30 | o.must(cmd.MarkPersistentFlagRequired("tls-private-key-file"))
31 |
32 | cmd.PersistentFlags().StringVar(&o.CertFile, "tls-cert-file",
33 | "/etc/oidc/key.pem", "File location to certificate for serving.")
34 | o.must(cmd.MarkPersistentFlagRequired("tls-cert-file"))
35 | }
36 |
37 | func (o *Options) must(err error) {
38 | if err != nil {
39 | panic(err)
40 | }
41 | }
42 |
--------------------------------------------------------------------------------
/test/e2e/suite/suite_test.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package suite
3 |
4 | import (
5 | "os"
6 | "path/filepath"
7 | "testing"
8 | "time"
9 |
10 | "github.com/onsi/ginkgo"
11 | ginkgoconfig "github.com/onsi/ginkgo/config"
12 | "github.com/onsi/ginkgo/reporters"
13 | "github.com/onsi/gomega"
14 | "k8s.io/apimachinery/pkg/util/wait"
15 |
16 | _ "github.com/jetstack/kube-oidc-proxy/test/e2e/suite/cases"
17 | )
18 |
19 | func init() {
20 | // Turn on verbose by default to get spec names
21 | ginkgoconfig.DefaultReporterConfig.Verbose = true
22 | // Turn on EmitSpecProgress to get spec progress (especially on interrupt)
23 | ginkgoconfig.GinkgoConfig.EmitSpecProgress = true
24 | // Randomize specs as well as suites
25 | ginkgoconfig.GinkgoConfig.RandomizeAllSpecs = true
26 |
27 | wait.ForeverTestTimeout = time.Second * 60
28 | }
29 |
30 | func TestE2E(t *testing.T) {
31 | gomega.RegisterFailHandler(ginkgo.Fail)
32 |
33 | junitPath := "../../../artifacts"
34 | if path := os.Getenv("ARTIFACTS"); path != "" {
35 | junitPath = path
36 | }
37 |
38 | junitReporter := reporters.NewJUnitReporter(filepath.Join(
39 | junitPath,
40 | "junit-go-e2e.xml",
41 | ))
42 | ginkgo.RunSpecsWithDefaultAndCustomReporters(t, "kube-oidc-proxy e2e suite", []ginkgo.Reporter{junitReporter})
43 | }
44 |
--------------------------------------------------------------------------------
/test/e2e/suite/suite.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package suite
3 |
4 | import (
5 | "path/filepath"
6 |
7 | . "github.com/onsi/ginkgo"
8 | log "github.com/sirupsen/logrus"
9 |
10 | "github.com/jetstack/kube-oidc-proxy/test/e2e/framework"
11 | "github.com/jetstack/kube-oidc-proxy/test/environment"
12 | )
13 |
14 | var (
15 | env *environment.Environment
16 | cfg = framework.DefaultConfig
17 | )
18 |
19 | var _ = SynchronizedBeforeSuite(func() []byte {
20 | var err error
21 | env, err = environment.New(1, 0)
22 | if err != nil {
23 | log.Fatalf("Error provisioning environment: %s", err)
24 | }
25 |
26 | if err := env.Create(); err != nil {
27 | log.Fatalf("Error creating environment: %s", err)
28 | }
29 |
30 | cfg.KubeConfigPath = env.KubeConfigPath()
31 | cfg.Kubectl = filepath.Join(env.RootPath(), "bin", "kubectl")
32 | cfg.RepoRoot = env.RootPath()
33 | cfg.Environment = env
34 |
35 | if err := framework.DefaultConfig.Validate(); err != nil {
36 | log.Fatalf("Invalid test config: %s", err)
37 | }
38 |
39 | return nil
40 | }, func([]byte) {
41 | })
42 |
43 | var _ = SynchronizedAfterSuite(func() {},
44 | func() {
45 | if env != nil {
46 | if err := env.Destory(); err != nil {
47 | log.Fatalf("Failed to destory environment: %s", err)
48 | }
49 | }
50 | },
51 | )
52 |
--------------------------------------------------------------------------------
/test/e2e/framework/helper/kubectl.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package helper
3 |
4 | import (
5 | "io"
6 | "os"
7 | "os/exec"
8 | "strings"
9 | )
10 |
11 | type Kubectl struct {
12 | namespace string
13 | kubectl string
14 | kubeconfig string
15 | }
16 |
17 | func (k *Kubectl) Describe(resources ...string) error {
18 | resourceNames := strings.Join(resources, ",")
19 | return k.Run("describe", resourceNames)
20 | }
21 |
22 | func (k *Kubectl) DescribeResource(resource, name string) error {
23 | return k.Run("describe", resource, name)
24 | }
25 |
26 | func (h *Helper) Kubectl(ns string) *Kubectl {
27 | return &Kubectl{
28 | namespace: ns,
29 | kubectl: h.cfg.Kubectl,
30 | kubeconfig: h.cfg.KubeConfigPath,
31 | }
32 | }
33 |
34 | func (k *Kubectl) Run(args ...string) error {
35 | return k.RunWithStdout(os.Stdout, args...)
36 | }
37 |
38 | func (k *Kubectl) RunWithStdout(stdout io.Writer, args ...string) error {
39 | baseArgs := []string{"--kubeconfig", k.kubeconfig}
40 | if k.namespace == "" {
41 | baseArgs = append(baseArgs, "--all-namespaces")
42 | } else {
43 | baseArgs = []string{"--namespace", k.namespace}
44 | }
45 | args = append(baseArgs, args...)
46 | cmd := exec.Command(k.kubectl, args...)
47 | cmd.Stdout = stdout
48 | cmd.Stderr = os.Stderr
49 | return cmd.Run()
50 | }
51 |
--------------------------------------------------------------------------------
/test/tools/issuer/cmd/options/options.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package options
3 |
4 | import (
5 | "github.com/spf13/cobra"
6 | )
7 |
8 | type Options struct {
9 | BindAddress string
10 | ListenPort string
11 |
12 | IssuerURL string
13 |
14 | KeyFile string
15 | CertFile string
16 | }
17 |
18 | func (o *Options) AddFlags(cmd *cobra.Command) {
19 | cmd.PersistentFlags().StringVar(&o.BindAddress, "bind-address",
20 | "0.0.0.0", "Bound Address to listen and serve on.")
21 |
22 | cmd.PersistentFlags().StringVar(&o.ListenPort, "secure-port",
23 | "6443", "Port to serve HTTPS.")
24 | o.must(cmd.MarkPersistentFlagRequired("secure-port"))
25 |
26 | cmd.PersistentFlags().StringVar(&o.IssuerURL, "issuer-url",
27 | "", "URL of the issuer that appears in well-known responses.")
28 | o.must(cmd.MarkPersistentFlagRequired("issuer-url"))
29 |
30 | cmd.PersistentFlags().StringVar(&o.KeyFile, "tls-private-key-file",
31 | "/etc/oidc/key.pem", "File location to key for serving.")
32 | o.must(cmd.MarkPersistentFlagRequired("tls-private-key-file"))
33 |
34 | cmd.PersistentFlags().StringVar(&o.CertFile, "tls-cert-file",
35 | "/etc/oidc/key.pem", "File location to certificate for serving.")
36 | o.must(cmd.MarkPersistentFlagRequired("tls-cert-file"))
37 | }
38 |
39 | func (o *Options) must(err error) {
40 | if err != nil {
41 | panic(err)
42 | }
43 | }
44 |
--------------------------------------------------------------------------------
/docs/tasks/extra-impersonation-headers.md:
--------------------------------------------------------------------------------
1 | # Extra Impersonation Headers
2 |
3 | kube-oidc-proxy has support for adding 'extra' headers to the impersonation user
4 | info. This can be useful for passing extra information onto the target server
5 | about the proxy or client. kube-oidc-proxy currently supports two configuration
6 | options.
7 |
8 | # Client IP
9 |
10 | The following flag can be passed which will append the remote client IP as an
11 | extra header:
12 |
13 | `--extra-user-header-client-ip`
14 |
15 | Proxied requests will then contain the header
16 | `Impersonate-Extra-Remote-Client-Ip: ` where `` is
17 | the address of the source connection of the request. Note that this IP address
18 | may not be the real client IP address when the request is being proxied. If the
19 | `X-Forwarded-For` header is present in the request then the value will be used
20 | as the client address.
21 |
22 | # Extra User Headers
23 |
24 | The following flag accepts a number of key value pairs that will be added as
25 | extra impersonation headers with proxied requests. This flag accepts a number of
26 | key value pairs, separated by commas, where a single key may have multiple
27 | values:
28 |
29 | `--extra-user-headers=key1=foo,key2=bar,key1=bar`
30 |
31 | Proxied requests will then contain the headers
32 |
33 | `Impersonate-Extra-Key1: foo,bar`
34 | `Impersonate-Extra-Key2: foo`
35 |
--------------------------------------------------------------------------------
/demo/config.dist.jsonnet:
--------------------------------------------------------------------------------
1 | local main = import './manifests/main.jsonnet';
2 |
3 | function(cloud='google') main {
4 | cloud: cloud,
5 | // this will only run the google cluster
6 | clouds: {
7 | google: main.clouds.google,
8 | amazon: main.clouds.amazon,
9 | digitalocean: main.clouds.digitalocean,
10 | },
11 | base_domain: '.kubernetes.example.net',
12 | cert_manager+: {
13 | letsencrypt_contact_email:: 'certificates@example.net',
14 | solvers+: [
15 | //{
16 | // http01: {
17 | // ingress: {},
18 | // },
19 | //},
20 | {
21 | dns01: {
22 | clouddns: {
23 | project: $.config.cert_manager.project,
24 | serviceAccountSecretRef: {
25 | name: $.cert_manager.google_secret.metadata.name,
26 | key: 'credentials.json',
27 | },
28 | },
29 | },
30 | },
31 | ],
32 | },
33 | dex+: if $.master then {
34 | users: [
35 | $.dex.Password('admin@example.net', '$2y$10$i2.tSLkchjnpvnI73iSW/OPAVriV9BWbdfM6qemBM1buNRu81.ZG.'), // plaintext: secure
36 | ],
37 | // This shows how to add dex connectors
38 | connectors: [
39 | $.dex.Connector('github', 'GitHub', 'github', {
40 | clientID: '0123',
41 | clientSecret: '4567',
42 | orgs: [{
43 | name: 'example-net',
44 | }],
45 | }),
46 | ],
47 | } else {
48 | },
49 | }
50 |
--------------------------------------------------------------------------------
/deploy/charts/kube-oidc-proxy/templates/secret_config.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Secret
3 | metadata:
4 | name: {{ include "kube-oidc-proxy.fullname" . }}-config
5 | labels:
6 | {{ include "kube-oidc-proxy.labels" . | indent 4 }}
7 | type: Opaque
8 | data:
9 | {{- if .Values.oidc.caPEM }}
10 | oidc.ca-pem: {{ .Values.oidc.caPEM | default "" | b64enc }}
11 | {{- end }}
12 |
13 | {{- if .Values.oidc.issuerUrl }}
14 | oidc.issuer-url: {{ .Values.oidc.issuerUrl | b64enc }}
15 | {{- end }}
16 |
17 | {{- if .Values.oidc.usernameClaim }}
18 | oidc.username-claim: {{ .Values.oidc.usernameClaim | default "" | b64enc }}
19 | {{- end }}
20 |
21 | {{- if .Values.oidc.clientId }}
22 | oidc.client-id: {{ .Values.oidc.clientId | b64enc }}
23 | {{- end }}
24 |
25 | {{- if .Values.oidc.usernamePrefix }}
26 | oidc.username-prefix: {{ .Values.oidc.usernamePrefix | default "" | b64enc }}
27 | {{- end }}
28 |
29 | {{- if .Values.oidc.groupsClaim }}
30 | oidc.groups-claim: {{ .Values.oidc.groupsClaim | default "" | b64enc }}
31 | {{- end }}
32 |
33 | {{- if .Values.oidc.groupsPrefix }}
34 | oidc.groups-prefix: {{ .Values.oidc.groupsPrefix | default "" | b64enc }}
35 | {{- end }}
36 |
37 | {{- if .Values.oidc.signingAlgs }}
38 | oidc.signing-algs: {{ join "," .Values.oidc.signingAlgs | default "" | b64enc }}
39 | {{- end }}
40 |
41 | {{- if .Values.oidc.requiredClaims }}
42 | oidc.required-claims: {{ include "requiredClaims" . | b64enc }}
43 | {{- end }}
44 |
--------------------------------------------------------------------------------
/demo/manifests/vendor/kube-prod-runtime/tests/aks.jsonnet:
--------------------------------------------------------------------------------
1 | /*
2 | * Bitnami Kubernetes Production Runtime - A collection of services that makes it
3 | * easy to run production workloads in Kubernetes.
4 | *
5 | * Copyright 2018-2019 Bitnami
6 | *
7 | * Licensed under the Apache License, Version 2.0 (the "License");
8 | * you may not use this file except in compliance with the License.
9 | * You may obtain a copy of the License at
10 | *
11 | * http://www.apache.org/licenses/LICENSE-2.0
12 | *
13 | * Unless required by applicable law or agreed to in writing, software
14 | * distributed under the License is distributed on an "AS IS" BASIS,
15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 | * See the License for the specific language governing permissions and
17 | * limitations under the License.
18 | */
19 |
20 | // Test AKS
21 |
22 | (import "../platforms/aks.jsonnet") {
23 | "letsencrypt_contact_email": "noone@nowhere.com",
24 | config: {
25 | dnsZone: "test.example.com",
26 | externalDns: {
27 | tenantId: "mytenant",
28 | subscriptionId: "mysubscription",
29 | aadClientId: "myclientid",
30 | aadClientSecret: "mysecret",
31 | resourceGroup: "test-resource-group",
32 | },
33 | oauthProxy: {
34 | client_id: "myclientid",
35 | client_secret: "mysecret",
36 | cookie_secret: "cookiesecret",
37 | authz_domain: "test.invalid",
38 | azure_tenant: "mytenant",
39 | },
40 | },
41 | }
42 |
--------------------------------------------------------------------------------
/demo/manifests/vendor/kube-prod-runtime/tests/gke.jsonnet:
--------------------------------------------------------------------------------
1 | /*
2 | * Bitnami Kubernetes Production Runtime - A collection of services that makes it
3 | * easy to run production workloads in Kubernetes.
4 | *
5 | * Copyright 2018-2019 Bitnami
6 | *
7 | * Licensed under the Apache License, Version 2.0 (the "License");
8 | * you may not use this file except in compliance with the License.
9 | * You may obtain a copy of the License at
10 | *
11 | * http://www.apache.org/licenses/LICENSE-2.0
12 | *
13 | * Unless required by applicable law or agreed to in writing, software
14 | * distributed under the License is distributed on an "AS IS" BASIS,
15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 | * See the License for the specific language governing permissions and
17 | * limitations under the License.
18 | */
19 |
20 | // Test GKE
21 |
22 | (import "../platforms/gke.jsonnet") {
23 | "letsencrypt_contact_email": "noone@nowhere.com",
24 | config: {
25 | dnsZone: "test.example.com",
26 | externalDns: {
27 | credentials: "google credentials json contents",
28 | project: "dns_gcp_project",
29 | },
30 | oauthProxy: {
31 | client_id: "myclientid",
32 | client_secret: "mysecret",
33 | cookie_secret: "cookiesecret",
34 | authz_domain: "test.invalid",
35 | google_groups: [],
36 | google_admin_email: "admin@example.com",
37 | google_service_account_json: "",
38 | },
39 | },
40 | }
41 |
--------------------------------------------------------------------------------
/demo/manifests/vendor/kube-prod-runtime/components/fluentd-es-config/import-from-upstream.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | # Bitnami Kubernetes Production Runtime - A collection of services that makes it
4 | # easy to run production workloads in Kubernetes.
5 | #
6 | # Copyright 2018-2019 Bitnami
7 | #
8 | # Licensed under the Apache License, Version 2.0 (the "License");
9 | # you may not use this file except in compliance with the License.
10 | # You may obtain a copy of the License at
11 | #
12 | # http://www.apache.org/licenses/LICENSE-2.0
13 | #
14 | # Unless required by applicable law or agreed to in writing, software
15 | # distributed under the License is distributed on an "AS IS" BASIS,
16 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 | # See the License for the specific language governing permissions and
18 | # limitations under the License.
19 |
20 | # Save *.conf files needed for fluentd-es log pre-processing from upstream
21 | # yaml-s
22 |
23 | import os
24 | import yaml
25 | import requests
26 |
27 | r = requests.get("https://raw.githubusercontent.com/kubernetes/kubernetes/"
28 | "master/cluster/addons/fluentd-elasticsearch/"
29 | "fluentd-es-configmap.yaml")
30 | DIR = os.path.dirname(__file__)
31 |
32 | for fname, content in yaml.safe_load(r.text)['data'].items():
33 | fname = os.path.join(DIR, fname)
34 | print("Saving to " + fname)
35 | with open(fname, "w") as f:
36 | f.write(content)
37 | f.write("\n") # Add trailing newline
38 |
--------------------------------------------------------------------------------
/test/e2e/suite/cases/probe/probe.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package probe
3 |
4 | import (
5 | "time"
6 |
7 | . "github.com/onsi/ginkgo"
8 | . "github.com/onsi/gomega"
9 |
10 | "github.com/jetstack/kube-oidc-proxy/test/e2e/framework"
11 | "github.com/jetstack/kube-oidc-proxy/test/kind"
12 | )
13 |
14 | var _ = framework.CasesDescribe("Readiness Probe", func() {
15 | f := framework.NewDefaultFramework("readiness-probe")
16 |
17 | It("Should not become ready if the issuer is unavailable", func() {
18 | By("Deleting the Issuer so no longer becomes reachable")
19 | Expect(f.Helper().DeleteIssuer(f.Namespace.Name)).NotTo(HaveOccurred())
20 |
21 | By("Deleting the current proxy that is ready")
22 | Expect(f.Helper().DeleteProxy(f.Namespace.Name)).NotTo(HaveOccurred())
23 |
24 | By("Deploying the Proxy should never become ready as the issuer is unavailable")
25 | _, _, err := f.Helper().DeployProxy(f.Namespace, f.IssuerURL(),
26 | f.ClientID(), f.IssuerKeyBundle(), nil)
27 | // Error should occur (not ready)
28 | Expect(err).To(HaveOccurred())
29 | })
30 |
31 | It("Should continue to be ready even if the issuer becomes unavailable", func() {
32 | By("Deleting the Issuer so no longer becomes reachable")
33 | Expect(f.Helper().DeleteIssuer(f.Namespace.Name)).NotTo(HaveOccurred())
34 |
35 | time.Sleep(time.Second * 10)
36 |
37 | err := f.Helper().WaitForDeploymentReady(f.Namespace.Name, kind.ProxyImageName, time.Second*5)
38 | Expect(err).NotTo(HaveOccurred())
39 | })
40 | })
41 |
--------------------------------------------------------------------------------
/demo/manifests/components/contour-clusterrole.json:
--------------------------------------------------------------------------------
1 | {
2 | "apiVersion": "rbac.authorization.k8s.io/v1beta1",
3 | "kind": "ClusterRole",
4 | "metadata": {
5 | "name": "contour"
6 | },
7 | "rules": [
8 | {
9 | "apiGroups": [
10 | ""
11 | ],
12 | "resources": [
13 | "configmaps",
14 | "endpoints",
15 | "nodes",
16 | "pods",
17 | "secrets"
18 | ],
19 | "verbs": [
20 | "list",
21 | "watch"
22 | ]
23 | },
24 | {
25 | "apiGroups": [
26 | ""
27 | ],
28 | "resources": [
29 | "nodes"
30 | ],
31 | "verbs": [
32 | "get"
33 | ]
34 | },
35 | {
36 | "apiGroups": [
37 | ""
38 | ],
39 | "resources": [
40 | "services"
41 | ],
42 | "verbs": [
43 | "get",
44 | "list",
45 | "watch"
46 | ]
47 | },
48 | {
49 | "apiGroups": [
50 | "extensions"
51 | ],
52 | "resources": [
53 | "ingresses"
54 | ],
55 | "verbs": [
56 | "get",
57 | "list",
58 | "watch"
59 | ]
60 | },
61 | {
62 | "apiGroups": [
63 | "contour.heptio.com"
64 | ],
65 | "resources": [
66 | "ingressroutes",
67 | "tlscertificatedelegations"
68 | ],
69 | "verbs": [
70 | "get",
71 | "list",
72 | "watch",
73 | "put",
74 | "post",
75 | "patch"
76 | ]
77 | }
78 | ]
79 | }
80 |
--------------------------------------------------------------------------------
/hack/boilerplate/boilerplate_test.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | # Copyright 2016 The Kubernetes Authors.
4 | #
5 | # Licensed under the Apache License, Version 2.0 (the "License");
6 | # you may not use this file except in compliance with the License.
7 | # You may obtain a copy of the License at
8 | #
9 | # http://www.apache.org/licenses/LICENSE-2.0
10 | #
11 | # Unless required by applicable law or agreed to in writing, software
12 | # distributed under the License is distributed on an "AS IS" BASIS,
13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 | # See the License for the specific language governing permissions and
15 | # limitations under the License.
16 |
17 | import boilerplate
18 | import unittest
19 | import StringIO
20 | import os
21 | import sys
22 |
23 | class TestBoilerplate(unittest.TestCase):
24 | """
25 | Note: run this test from the hack/boilerplate directory.
26 |
27 | $ python -m unittest boilerplate_test
28 | """
29 |
30 | def test_boilerplate(self):
31 | os.chdir("test/")
32 |
33 | class Args(object):
34 | def __init__(self):
35 | self.filenames = []
36 | self.rootdir = "."
37 | self.boilerplate_dir = "../"
38 | self.verbose = True
39 |
40 | # capture stdout
41 | old_stdout = sys.stdout
42 | sys.stdout = StringIO.StringIO()
43 |
44 | boilerplate.args = Args()
45 | ret = boilerplate.main()
46 |
47 | output = sorted(sys.stdout.getvalue().split())
48 |
49 | sys.stdout = old_stdout
50 |
51 | self.assertEquals(
52 | output, ['././fail.go', '././fail.py'])
53 |
--------------------------------------------------------------------------------
/pkg/util/token.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package util
3 |
4 | import (
5 | "net/http"
6 | "strings"
7 | "time"
8 |
9 | "gopkg.in/square/go-jose.v2"
10 | "gopkg.in/square/go-jose.v2/jwt"
11 | )
12 |
13 | // Return just the token from the header of the request, without 'bearer'.
14 | func ParseTokenFromRequest(req *http.Request) (string, bool) {
15 | if req == nil || req.Header == nil {
16 | return "", false
17 | }
18 |
19 | auth := strings.TrimSpace(req.Header.Get("Authorization"))
20 | if auth == "" {
21 | return "", false
22 | }
23 |
24 | parts := strings.Split(auth, " ")
25 | if len(parts) < 2 || strings.ToLower(parts[0]) != "bearer" {
26 | return "", false
27 | }
28 |
29 | token := parts[1]
30 |
31 | // Empty bearer tokens aren't valid
32 | if len(token) == 0 {
33 | return "", false
34 | }
35 |
36 | return token, true
37 | }
38 |
39 | // fakeJWT generates a valid JWT using the passed input parameters which is
40 | // signed by a generated key. This is useful for checking the status of a
41 | // signer.
42 | func FakeJWT(issuerURL string) (string, error) {
43 | key := []byte("secret")
44 |
45 | sig, err := jose.NewSigner(
46 | jose.SigningKey{Algorithm: jose.HS256, Key: key},
47 | (&jose.SignerOptions{}).WithType("JWT"))
48 | if err != nil {
49 | return "", err
50 | }
51 |
52 | cl := jwt.Claims{
53 | Subject: "fake",
54 | Issuer: issuerURL,
55 | NotBefore: jwt.NewNumericDate(time.Date(2016, 1, 1, 0, 0, 0, 0, time.UTC)),
56 | Audience: jwt.Audience(nil),
57 | }
58 |
59 | return jwt.Signed(sig).Claims(cl).CompactSerialize()
60 | }
61 |
--------------------------------------------------------------------------------
/deploy/charts/kube-oidc-proxy/templates/NOTES.txt:
--------------------------------------------------------------------------------
1 | 1. Get the application URL by running these commands:
2 | {{- if .Values.ingress.enabled }}
3 | {{- range $host := .Values.ingress.hosts }}
4 | {{- range .paths }}
5 | http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
6 | {{- end }}
7 | {{- end }}
8 | {{- else if contains "NodePort" .Values.service.type }}
9 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "kube-oidc-proxy.fullname" . }})
10 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
11 | echo http://$NODE_IP:$NODE_PORT
12 | {{- else if contains "LoadBalancer" .Values.service.type }}
13 | NOTE: It may take a few minutes for the LoadBalancer IP to be available.
14 | You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "kube-oidc-proxy.fullname" . }}'
15 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "kube-oidc-proxy.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
16 | echo http://$SERVICE_IP:{{ .Values.service.port }}
17 | {{- else if contains "ClusterIP" .Values.service.type }}
18 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "kube-oidc-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
19 | echo "Visit http://127.0.0.1:8080 to use your application"
20 | kubectl port-forward $POD_NAME 8080:80
21 | {{- end }}
22 |
--------------------------------------------------------------------------------
/deploy/charts/kube-oidc-proxy/templates/secret_tls.yaml:
--------------------------------------------------------------------------------
1 | {{ $fullname := include "kube-oidc-proxy.fullname" . }}
2 | {{ $ca := genCA (printf "%s-ca" $fullname) 3650 }}
3 | {{ $cn := printf "%s.%s.svc.cluster.local" $fullname .Release.Namespace }}
4 | {{ $in := printf "%s-issuer" $fullname }}
5 |
6 | {{ if .Values.tls.certManager }}
7 | {{ if .Values.tls.selfSigned }}
8 | apiVersion: cert-manager.io/v1
9 | kind: Issuer
10 | metadata:
11 | name: {{ template "kube-oidc-proxy.fullname" . }}-issuer
12 | spec:
13 | selfSigned: {}
14 | ---
15 | {{ end }}
16 | apiVersion: cert-manager.io/v1
17 | kind: Certificate
18 | metadata:
19 | name: {{ template "kube-oidc-proxy.fullname" . }}-tls
20 | spec:
21 | commonName: {{ template "kube-oidc-proxy.fullname" . }}-tls
22 | dnsNames:
23 | - {{ $cn }}
24 | secretName: {{ template "kube-oidc-proxy.fullname" . }}-tls
25 | issuerRef:
26 | group: cert-manager.io
27 | kind: Issuer
28 | name: {{ .Values.tls.issuerName | default $in }}
29 | {{ if .Values.tls.selfSigned }}
30 | duration: 3650h0m0s
31 | privateKey:
32 | algorithm: RSA
33 | encoding: PKCS8
34 | size: 2048
35 | renewBefore: 24h0m0s
36 | usages:
37 | - server auth
38 | {{ end }}
39 | {{ else }}
40 | {{- if (not .Values.tls.secretName) }}
41 | {{ $server := genSignedCert $cn nil nil 365 $ca }}
42 | apiVersion: v1
43 | kind: Secret
44 | type: kubernetes.io/tls
45 | metadata:
46 | name: {{ template "kube-oidc-proxy.fullname" . }}-tls
47 | labels:
48 | {{ include "kube-oidc-proxy.labels" . | indent 4 }}
49 | data:
50 | tls.crt: {{ b64enc $server.Cert }}
51 | tls.key: {{ b64enc $server.Key }}
52 | {{ end }}
53 | {{ end }}
--------------------------------------------------------------------------------
/pkg/probe/probe.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package probe
3 |
4 | import (
5 | "context"
6 | "fmt"
7 | "net"
8 | "net/http"
9 | "strings"
10 | "time"
11 |
12 | "github.com/heptiolabs/healthcheck"
13 | "k8s.io/apiserver/pkg/authentication/authenticator"
14 | "k8s.io/klog/v2"
15 | )
16 |
17 | const (
18 | timeout = time.Second * 10
19 | )
20 |
21 | type HealthCheck struct {
22 | handler healthcheck.Handler
23 |
24 | oidcAuther authenticator.Token
25 | fakeJWT string
26 |
27 | ready bool
28 | }
29 |
30 | func Run(port, fakeJWT string, oidcAuther authenticator.Token) error {
31 | h := &HealthCheck{
32 | handler: healthcheck.NewHandler(),
33 | oidcAuther: oidcAuther,
34 | fakeJWT: fakeJWT,
35 | }
36 |
37 | h.handler.AddReadinessCheck("secure serving", h.Check)
38 |
39 | go func() {
40 | for {
41 | err := http.ListenAndServe(net.JoinHostPort("0.0.0.0", port), h.handler)
42 | if err != nil {
43 | klog.Errorf("ready probe listener failed: %s", err)
44 | }
45 | time.Sleep(5 * time.Second)
46 | }
47 | }()
48 |
49 | return nil
50 | }
51 |
52 | func (h *HealthCheck) Check() error {
53 | if h.ready {
54 | return nil
55 | }
56 |
57 | ctx, cancel := context.WithTimeout(context.Background(), timeout)
58 | defer cancel()
59 |
60 | _, _, err := h.oidcAuther.AuthenticateToken(ctx, h.fakeJWT)
61 | if err != nil && strings.HasSuffix(err.Error(), "authenticator not initialized") {
62 | err = fmt.Errorf("OIDC provider not yet initialized: %s", err)
63 | klog.V(4).Infof(err.Error())
64 | return err
65 | }
66 |
67 | h.ready = true
68 |
69 | klog.V(4).Info("OIDC provider initialized.")
70 |
71 | return nil
72 | }
73 |
--------------------------------------------------------------------------------
/test/util/tls.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package util
3 |
4 | import (
5 | "crypto/rsa"
6 | "crypto/x509"
7 | "encoding/pem"
8 | "fmt"
9 | "io/ioutil"
10 | "net"
11 | "os"
12 | "path/filepath"
13 |
14 | "k8s.io/client-go/util/cert"
15 | )
16 |
17 | type KeyBundle struct {
18 | CertPath string
19 | KeyPath string
20 | CertBytes []byte
21 | KeyBytes []byte
22 | Key *rsa.PrivateKey
23 | }
24 |
25 | const (
26 | prefix = "kube-oidc-proxy"
27 | )
28 |
29 | func NewTLSSelfSignedCertKey(host string, netIPs []net.IP, dnsNames []string) (*KeyBundle, error) {
30 | certBytes, keyBytes, err := cert.GenerateSelfSignedCertKey(host, netIPs, dnsNames)
31 | if err != nil {
32 | return nil, err
33 | }
34 |
35 | dir, err := ioutil.TempDir(os.TempDir(), prefix)
36 | if err != nil {
37 | return nil, err
38 | }
39 | defer os.RemoveAll(dir)
40 |
41 | certPath := filepath.Join(dir, fmt.Sprintf("%s-ca.pem", prefix))
42 | keyPath := filepath.Join(dir, fmt.Sprintf("%s-key.pem", prefix))
43 |
44 | err = ioutil.WriteFile(certPath, certBytes, 0600)
45 | if err != nil {
46 | return nil, err
47 | }
48 |
49 | err = ioutil.WriteFile(keyPath, keyBytes, 0600)
50 | if err != nil {
51 | return nil, err
52 | }
53 |
54 | p, rest := pem.Decode(keyBytes)
55 | if len(rest) != 0 {
56 | return nil, fmt.Errorf("got rest decoding pem file %s: %s", keyPath, rest)
57 | }
58 |
59 | sk, err := x509.ParsePKCS1PrivateKey(p.Bytes)
60 | if err != nil {
61 | return nil, err
62 | }
63 |
64 | return &KeyBundle{
65 | CertPath: certPath,
66 | KeyPath: keyPath,
67 | CertBytes: certBytes,
68 | KeyBytes: keyBytes,
69 | Key: sk,
70 | }, nil
71 | }
72 |
--------------------------------------------------------------------------------
/demo/manifests/vendor/kube-prod-runtime/components/alertmanager-config.jsonnet:
--------------------------------------------------------------------------------
1 | /*
2 | * Bitnami Kubernetes Production Runtime - A collection of services that makes it
3 | * easy to run production workloads in Kubernetes.
4 | *
5 | * Copyright 2018-2019 Bitnami
6 | *
7 | * Licensed under the Apache License, Version 2.0 (the "License");
8 | * you may not use this file except in compliance with the License.
9 | * You may obtain a copy of the License at
10 | *
11 | * http://www.apache.org/licenses/LICENSE-2.0
12 | *
13 | * Unless required by applicable law or agreed to in writing, software
14 | * distributed under the License is distributed on an "AS IS" BASIS,
15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 | * See the License for the specific language governing permissions and
17 | * limitations under the License.
18 | */
19 |
20 | // https://prometheus.io/docs/alerting/configuration/
21 | {
22 | global: {
23 | resolve_timeout: "5m",
24 | },
25 |
26 | //templates: []
27 |
28 | route: {
29 | group_by: ["alertname", "cluster", "service"],
30 |
31 | group_wait: "30s",
32 |
33 | group_interval: "5m",
34 | repeat_interval: "7d",
35 |
36 | receiver: "email",
37 |
38 | routes: [
39 | ],
40 | },
41 |
42 | inhibit_rules: [
43 | {
44 | source_match: {severity: "critical"},
45 | target_match: {severity: "warning"},
46 | equal: ["alertname", "cluster", "service"],
47 | },
48 | ],
49 |
50 | receivers_:: {
51 | email: {
52 | //email_configs: [{to: "foo@example.com"}],
53 | },
54 | },
55 | receivers: [{name: k} + self.receivers_[k] for k in std.objectFields(self.receivers_)],
56 | }
57 |
--------------------------------------------------------------------------------
/demo/infrastructure/modules/google-cluster/cluster.tf:
--------------------------------------------------------------------------------
1 | variable "suffix" {}
2 |
3 | variable "zone" {}
4 |
5 | resource "google_container_cluster" "cluster" {
6 | name = "cluster-${var.suffix}"
7 | zone = "${var.zone}"
8 |
9 | initial_node_count = 3
10 |
11 | # Setting an empty username and password explicitly disables basic auth
12 | master_auth {
13 | username = ""
14 | password = ""
15 | }
16 |
17 | node_config {
18 | oauth_scopes = [
19 | "https://www.googleapis.com/auth/compute",
20 | "https://www.googleapis.com/auth/devstorage.read_only",
21 | "https://www.googleapis.com/auth/logging.write",
22 | "https://www.googleapis.com/auth/monitoring",
23 | ]
24 | }
25 | }
26 |
27 | data "google_client_config" "default" {}
28 |
29 | output "name" {
30 | value = "${google_container_cluster.cluster.name}"
31 | }
32 |
33 | output "project" {
34 | value = "${google_container_cluster.cluster.project}"
35 | }
36 |
37 | output "kubeconfig" {
38 | value = < 0 {
22 | sec, err = h.KubeClient.CoreV1().Secrets(ns).Get(context.TODO(), sa.Secrets[0].Name, metav1.GetOptions{})
23 | if err != nil {
24 | return nil, err
25 | }
26 | } else {
27 | var requestSeconds int64
28 | requestSeconds = 600
29 |
30 | // starting in 1.24 ServiceAccounts no longer get Secrets, need to request one bound to a ServiceAccount
31 | serviceAccountToken, err := h.KubeClient.CoreV1().ServiceAccounts(ns).CreateToken(context.TODO(), sa.Name, &v1.TokenRequest{
32 | Spec: v1.TokenRequestSpec{
33 | Audiences: []string{"https://kubernetes.default.svc.cluster.local"},
34 | ExpirationSeconds: &requestSeconds,
35 | },
36 | }, metav1.CreateOptions{})
37 |
38 | if err != nil {
39 | return nil, err
40 | }
41 |
42 | fmt.Printf("TOKEN!!!!! : %v\n", serviceAccountToken.Status.Token)
43 |
44 | secretToReturn := &corev1.Secret{
45 | ObjectMeta: metav1.ObjectMeta{
46 | Namespace: ns,
47 | Name: name,
48 | },
49 | Data: map[string][]byte{corev1.ServiceAccountTokenKey: []byte(serviceAccountToken.Status.Token)},
50 | }
51 |
52 | return secretToReturn, nil
53 |
54 | }
55 |
56 | return sec, nil
57 | }
58 |
--------------------------------------------------------------------------------
/pkg/proxy/logging/accesslog_test.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package logging
3 |
4 | import (
5 | "net/http"
6 | "testing"
7 | )
8 |
9 | func TestXForwardedFor(t *testing.T) {
10 |
11 | tests := map[string]struct {
12 | headers http.Header
13 | remoteAddr string
14 | exp string
15 | }{
16 | "no x-forwarded-for": {
17 | headers: http.Header{},
18 | remoteAddr: "1.2.3.4",
19 | exp: "",
20 | },
21 | "empty x-forwarded-for": {
22 | headers: http.Header{
23 | "X-Forwarded-For": []string{""},
24 | },
25 | remoteAddr: "1.2.3.4",
26 | exp: "",
27 | },
28 | "x-forwarded-for is remoteaddr": {
29 | headers: http.Header{
30 | "X-Forwarded-For": []string{"1.2.3.4"},
31 | },
32 | remoteAddr: "1.2.3.4",
33 | exp: "",
34 | },
35 | "x-forwarded-for with no remoteaddr": {
36 | headers: http.Header{
37 | "X-Forwarded-For": []string{"1.2.3.1"},
38 | },
39 | remoteAddr: "1.2.3.4",
40 | exp: "1.2.3.1",
41 | },
42 | "x-forwarded-for with with remoteaddr at the end": {
43 | headers: http.Header{
44 | "X-Forwarded-For": []string{"1.2.3.1, 1.2.3.4"},
45 | },
46 | remoteAddr: "1.2.3.4",
47 | exp: "1.2.3.1",
48 | },
49 | "x-forwarded-for with with remoteaddr at the beginning": {
50 | headers: http.Header{
51 | "X-Forwarded-For": []string{"1.2.3.4, 1.2.3.1"},
52 | },
53 | remoteAddr: "1.2.3.4",
54 | exp: "1.2.3.1",
55 | },
56 | }
57 |
58 | for name, test := range tests {
59 | t.Run(name, func(t *testing.T) {
60 | forwarded := findXForwardedFor(test.headers, test.remoteAddr)
61 |
62 | if test.exp != forwarded {
63 | t.Errorf("failed for %s: unexpected result : %s", name, forwarded)
64 | t.FailNow()
65 | }
66 | })
67 | }
68 | }
69 |
--------------------------------------------------------------------------------
/test/e2e/framework/util.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package framework
3 |
4 | import (
5 | "context"
6 | "fmt"
7 | "time"
8 |
9 | corev1 "k8s.io/api/core/v1"
10 | apierrors "k8s.io/apimachinery/pkg/api/errors"
11 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
12 | "k8s.io/apimachinery/pkg/util/wait"
13 | "k8s.io/client-go/kubernetes"
14 | )
15 |
16 | const (
17 | clientID = "kube-oidc-proxy-e2e-client_id"
18 | )
19 |
20 | // CreateKubeNamespace creates a new Kubernetes Namespace for a test.
21 | func (f *Framework) CreateKubeNamespace(baseName string) (*corev1.Namespace, error) {
22 | ns := &corev1.Namespace{
23 | ObjectMeta: metav1.ObjectMeta{
24 | GenerateName: fmt.Sprintf("kube-oidc-proxy-e2e-%v-", baseName),
25 | },
26 | }
27 |
28 | return f.KubeClientSet.CoreV1().Namespaces().Create(context.TODO(), ns, metav1.CreateOptions{})
29 | }
30 |
31 | // DeleteKubeNamespace will delete a namespace resource
32 | func (f *Framework) DeleteKubeNamespace(namespace string) error {
33 | return f.KubeClientSet.CoreV1().Namespaces().Delete(context.TODO(), namespace, metav1.DeleteOptions{})
34 | }
35 |
36 | // WaitForKubeNamespaceNotExist will wait for the namespace with the given name
37 | // to not exist for up to 2 minutes.
38 | func (f *Framework) WaitForKubeNamespaceNotExist(namespace string) error {
39 | return wait.PollImmediate(time.Second*2, time.Minute*2, namespaceNotExist(f.KubeClientSet, namespace))
40 | }
41 |
42 | func namespaceNotExist(c kubernetes.Interface, namespace string) wait.ConditionFunc {
43 | return func() (bool, error) {
44 | _, err := c.CoreV1().Namespaces().Get(context.TODO(), namespace, metav1.GetOptions{})
45 | if apierrors.IsNotFound(err) {
46 | return true, nil
47 | }
48 | if err != nil {
49 | return false, err
50 | }
51 | return false, nil
52 | }
53 | }
54 |
--------------------------------------------------------------------------------
/cmd/app/options/client.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package options
3 |
4 | import (
5 | "github.com/spf13/cobra"
6 | "github.com/spf13/pflag"
7 | "k8s.io/cli-runtime/pkg/genericclioptions"
8 | cliflag "k8s.io/component-base/cli/flag"
9 | )
10 |
11 | type ClientOptions struct {
12 | *genericclioptions.ConfigFlags
13 |
14 | KubeClientQPS float32
15 | KubeClientBurst int
16 | }
17 |
18 | func NewClientOptions(nfs *cliflag.NamedFlagSets) *ClientOptions {
19 | c := &ClientOptions{
20 | ConfigFlags: genericclioptions.NewConfigFlags(true),
21 | }
22 |
23 | // Disable unwanted options
24 | c.CacheDir = nil
25 | c.Impersonate = nil
26 | c.ImpersonateGroup = nil
27 |
28 | return c.AddFlags(nfs.FlagSet("Client"))
29 | }
30 |
31 | func (c *ClientOptions) AddFlags(fs *pflag.FlagSet) *ClientOptions {
32 | c.ConfigFlags.AddFlags(fs)
33 |
34 | // Extra flags
35 | fs.Float32Var(&c.KubeClientQPS, "kube-client-qps", c.KubeClientQPS, "Sets the QPS on the app "+
36 | "kubernetes client, this will configure throttling on requests sent to the apiserver "+
37 | "(If not set, it will use client default ones)")
38 | fs.IntVar(&c.KubeClientBurst, "kube-client-burst", c.KubeClientBurst, "Sets the burst on the app "+
39 | "kubernetes client, this will configure throttling on requests sent to the apiserver"+
40 | "(If not set, it will use client default ones)")
41 |
42 | return c
43 | }
44 |
45 | func (c *ClientOptions) ClientFlagsChanged(cmd *cobra.Command) bool {
46 | for _, f := range clientOptionFlags() {
47 | if ff := cmd.Flag(f); ff != nil && ff.Changed {
48 | return true
49 | }
50 | }
51 |
52 | return false
53 | }
54 |
55 | func clientOptionFlags() []string {
56 | return []string{"certificate-authority", "client-certificate", "client-key", "cluster",
57 | "context", "insecure-skip-tls-verify", "kubeconfig", "namespace",
58 | "request-timeout", "server", "token", "user",
59 | }
60 | }
61 |
--------------------------------------------------------------------------------
/pkg/proxy/subjectaccessreview/fake/subjectaccessreview.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package fake
3 |
4 | import (
5 | "context"
6 |
7 | azv1 "k8s.io/api/authorization/v1"
8 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
9 | clientazv1 "k8s.io/client-go/kubernetes/typed/authorization/v1"
10 | )
11 |
12 | var _ clientazv1.SubjectAccessReviewInterface = &FakeReviewer{}
13 |
14 | type FakeReviewer struct {
15 | err error
16 | }
17 |
18 | func New(err error) *FakeReviewer {
19 | return &FakeReviewer{
20 | err: err,
21 | }
22 | }
23 |
24 | func (f *FakeReviewer) Create(ctx context.Context, req *azv1.SubjectAccessReview, co metav1.CreateOptions) (*azv1.SubjectAccessReview, error) {
25 | if f.err != nil {
26 | return nil, f.err
27 | }
28 |
29 | if req.Spec.ResourceAttributes.Resource == "users" && req.Spec.ResourceAttributes.Name == "jjackson" {
30 | req.Status = azv1.SubjectAccessReviewStatus{
31 | Allowed: true,
32 | }
33 |
34 | return req, nil
35 | }
36 |
37 | if req.Spec.ResourceAttributes.Resource == "groups" && req.Spec.ResourceAttributes.Name == "group3" {
38 | req.Status = azv1.SubjectAccessReviewStatus{
39 | Allowed: true,
40 | }
41 |
42 | return req, nil
43 | }
44 |
45 | if req.Spec.ResourceAttributes.Resource == "uids" && req.Spec.ResourceAttributes.Name == "1-2-3-4" {
46 | req.Status = azv1.SubjectAccessReviewStatus{
47 | Allowed: true,
48 | }
49 |
50 | return req, nil
51 | }
52 |
53 | if req.Spec.ResourceAttributes.Resource == "userextras" && req.Spec.ResourceAttributes.Subresource == "remoteaddr" && req.Spec.ResourceAttributes.Name == "1.2.3.4" {
54 | req.Status = azv1.SubjectAccessReviewStatus{
55 | Allowed: true,
56 | }
57 |
58 | return req, nil
59 | }
60 |
61 | // not an expcted test, or didn't conform to known allowed, fail
62 | req.Status = azv1.SubjectAccessReviewStatus{
63 | Allowed: false,
64 | }
65 |
66 | return req, nil
67 |
68 | }
69 |
--------------------------------------------------------------------------------
/pkg/proxy/tokenreview/tokenreview.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package tokenreview
3 |
4 | import (
5 | "context"
6 | "errors"
7 | "fmt"
8 | "net/http"
9 | "time"
10 |
11 | authv1 "k8s.io/api/authentication/v1"
12 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
13 | "k8s.io/client-go/kubernetes"
14 | clientauthv1 "k8s.io/client-go/kubernetes/typed/authentication/v1"
15 | "k8s.io/client-go/rest"
16 |
17 | "github.com/jetstack/kube-oidc-proxy/pkg/util"
18 | )
19 |
20 | var (
21 | timeout = time.Second * 10
22 | )
23 |
24 | type TokenReview struct {
25 | reviewRequester clientauthv1.TokenReviewInterface
26 | audiences []string
27 | }
28 |
29 | func New(restConfig *rest.Config, audiences []string) (*TokenReview, error) {
30 | kubeclient, err := kubernetes.NewForConfig(restConfig)
31 | if err != nil {
32 | return nil, err
33 | }
34 |
35 | return &TokenReview{
36 | reviewRequester: kubeclient.AuthenticationV1().TokenReviews(),
37 | audiences: audiences,
38 | }, nil
39 | }
40 |
41 | func (t *TokenReview) Review(req *http.Request) (bool, error) {
42 | token, ok := util.ParseTokenFromRequest(req)
43 | if !ok {
44 | return false, errors.New("bearer token not found in request")
45 | }
46 |
47 | review := t.buildReview(token)
48 |
49 | ctx, cancel := context.WithTimeout(req.Context(), timeout)
50 | defer cancel()
51 |
52 | resp, err := t.reviewRequester.Create(ctx, review, metav1.CreateOptions{})
53 | if err != nil {
54 | return false, err
55 | }
56 |
57 | if len(resp.Status.Error) > 0 {
58 | return false, fmt.Errorf("error authenticating using token review: %s",
59 | resp.Status.Error)
60 | }
61 |
62 | return resp.Status.Authenticated, nil
63 | }
64 |
65 | func (t *TokenReview) buildReview(token string) *authv1.TokenReview {
66 | return &authv1.TokenReview{
67 | Spec: authv1.TokenReviewSpec{
68 | Token: token,
69 | Audiences: t.audiences,
70 | },
71 | }
72 | }
73 |
--------------------------------------------------------------------------------
/deploy/charts/kube-oidc-proxy/templates/_helpers.tpl:
--------------------------------------------------------------------------------
1 | {{/* vim: set filetype=mustache: */}}
2 | {{/*
3 | Expand the name of the chart.
4 | */}}
5 | {{- define "kube-oidc-proxy.name" -}}
6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
7 | {{- end -}}
8 |
9 | {{/*
10 | Create a default fully qualified app name.
11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
12 | If release name contains chart name it will be used as a full name.
13 | */}}
14 | {{- define "kube-oidc-proxy.fullname" -}}
15 | {{- if .Values.fullnameOverride -}}
16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
17 | {{- else -}}
18 | {{- $name := default .Chart.Name .Values.nameOverride -}}
19 | {{- if contains $name .Release.Name -}}
20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
21 | {{- else -}}
22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
23 | {{- end -}}
24 | {{- end -}}
25 | {{- end -}}
26 |
27 | {{/*
28 | Create chart name and version as used by the chart label.
29 | */}}
30 | {{- define "kube-oidc-proxy.chart" -}}
31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
32 | {{- end -}}
33 |
34 | {{/*
35 | Common labels
36 | */}}
37 | {{- define "kube-oidc-proxy.labels" -}}
38 | app.kubernetes.io/name: {{ include "kube-oidc-proxy.name" . }}
39 | helm.sh/chart: {{ include "kube-oidc-proxy.chart" . }}
40 | app.kubernetes.io/instance: {{ .Release.Name }}
41 | {{- if .Chart.AppVersion }}
42 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
43 | {{- end }}
44 | app.kubernetes.io/managed-by: {{ .Release.Service }}
45 | {{- end -}}
46 |
47 | {{/*
48 | Required claims serialized to CLI argument
49 | */}}
50 | {{- define "requiredClaims" -}}
51 | {{- if .Values.oidc.requiredClaims -}}
52 | {{- $local := (list) -}}
53 | {{- range $k, $v := .Values.oidc.requiredClaims -}}
54 | {{- $local = (printf "%s=%s" $k $v | append $local) -}}
55 | {{- end -}}
56 | {{ join "," $local }}
57 | {{- end -}}
58 | {{- end -}}
59 |
--------------------------------------------------------------------------------
/demo/manifests/components/cert-manager.jsonnet:
--------------------------------------------------------------------------------
1 | local kube = import '../vendor/kube-prod-runtime/lib/kube.libsonnet';
2 | local cert_manager_manifests = import './cert-manager/cert-manager.json';
3 | local apiGroup = 'cert-manager.io/v1alpha2';
4 |
5 | {
6 | ca_secret_name:: 'ca-key-pair',
7 |
8 | p:: '',
9 | metadata:: {
10 | metadata+: {
11 | namespace: 'kubeprod',
12 | },
13 | },
14 | letsencrypt_contact_email:: error 'Letsencrypt contact e-mail is undefined',
15 |
16 | // create simple to use certificate resource
17 | Certificate(namespace, name, issuer, solver, domains):: kube._Object(apiGroup, 'Certificate', name) + {
18 | metadata+: {
19 | namespace: namespace,
20 | name: name,
21 | },
22 | spec+: {
23 | secretName: name + '-tls',
24 | dnsNames: domains,
25 | issuerRef: {
26 | name: issuer.metadata.name,
27 | kind: issuer.kind,
28 | },
29 | },
30 | },
31 |
32 | // Letsencrypt environments
33 | letsencrypt_environments:: {
34 | prod: $.letsencryptProd.metadata.name,
35 | staging: $.letsencryptStaging.metadata.name,
36 | },
37 | // Letsencrypt environment (defaults to the production one)
38 | letsencrypt_environment:: 'prod',
39 |
40 | Issuer(name):: kube._Object(apiGroup, 'Issuer', name) {
41 | },
42 |
43 | ClusterIssuer(name):: kube._Object(apiGroup, 'ClusterIssuer', name) {
44 | },
45 |
46 | deploy: cert_manager_manifests,
47 |
48 | letsencryptStaging: $.ClusterIssuer($.p + 'letsencrypt-staging') {
49 | local this = self,
50 | spec+: {
51 | acme+: {
52 | server: 'https://acme-staging-v02.api.letsencrypt.org/directory',
53 | email: $.letsencrypt_contact_email,
54 | privateKeySecretRef: { name: this.metadata.name },
55 | http01: {},
56 | },
57 | },
58 | },
59 |
60 | letsencryptProd: $.letsencryptStaging {
61 | metadata+: { name: $.p + 'letsencrypt-prod' },
62 | spec+: {
63 | acme+: {
64 | server: 'https://acme-v02.api.letsencrypt.org/directory',
65 | },
66 | },
67 | },
68 |
69 | solvers+:: [],
70 | }
71 |
--------------------------------------------------------------------------------
/docs/tasks/development-testing.md:
--------------------------------------------------------------------------------
1 | # Development Testing
2 |
3 | In order to help development for the proxy, there are a few tools in place for
4 | quick testing.
5 |
6 | # Creating a Cluster
7 |
8 | Use `make dev_cluster_create` to spin up a kind cluster locally. This will also
9 | build the proxy and other tooling from source, build their images, and load them
10 | onto each node.
11 |
12 | # Deploying the Proxy
13 |
14 | This will build the proxy and other tooling from source,build the images, and
15 | load them onto each node. This will then deploy the proxy alongside a fake OIDC
16 | issuer so that the proxy is fully functional. The proxy will then be reachable
17 | from a node port service in the cluster.
18 |
19 |
20 | ```bash
21 | make dev_cluster_deploy
22 | ```
23 |
24 | This command will output a signed OIDC token that is valid for the proxy. You
25 | can then make calls to the proxy, like the following:
26 |
27 | ```bash
28 | curl -k https://172.17.0.2:30226 -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.ewoJImlzcyI6Imh0dHBzOi8vb2lkYy1pc3N1ZXItZTJlLmt1YmUtb2lkYy1wcm94eS1lMmUtNmhiNGcuc3ZjLmNsdXN0ZXIubG9jYWw6NjQ0MyIsCgkiYXVkIjpbImt1YmUtb2lkYy1wcm94eS1lMmUtY2xpZW50LWlkIiwiYXVkLTIiXSwKCSJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLAoJImdyb3VwcyI6WyJncm91cC0xIiwiZ3JvdXAtMiJdLAoJImV4cCI6MTU4MjU1NTYzMQoJfQ.qWCM5zUHGslmwbgyZnMjhVeCLJd3R3c7xjtatjT_pv1VY-PpJ8IGBsbcCpur1fAm2CAbr0juM3yzwV1S3TUjhNhE8Wo6rxjA2Flnmwj7Nn2Got6T_cMFHQ_3A6YC72qkMwH-7SvXFB-C5Bk96vi9-clrxJ_b1XjfMPViZEVCJphh9HVzrZ5DPOAR0PDl-qnVys_CRkF0NEwEvAZL5SFumBqjtLBI9XUlWbB6VTljPOExL1zkv8NevZF8DxVsYFaW9HOYH8vNgC07kj_oUVkmAjP-2tVngcBKka0IBmuz2r-RfWNy9VJ-yb19AbtJNw6fjASy7O6VifuH4ZpjP5JSIg'
29 | ```
30 |
31 | You are also able to deploy a server that the proxy connects to. This is useful
32 | for checking the headers and request body sent to the target server by the
33 | proxy which are present in the server logs. To enable this, set the following
34 | environment variable:
35 |
36 | ```bash
37 | KUBE_OIDC_PROXY_FAKE_APISERVER=true make dev_cluster_deploy
38 | ```
39 |
40 | # Delete the cluster
41 |
42 | To delete the test kind cluster, use `make dev_cluster_destroy`.
43 |
--------------------------------------------------------------------------------
/pkg/util/flags/string_to_string_slice_test.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package flags
3 |
4 | import (
5 | "reflect"
6 | "testing"
7 | )
8 |
9 | func TestStringToStringSliceSet(t *testing.T) {
10 | tests := map[string]struct {
11 | val string
12 | expError bool
13 | expValues map[string][]string
14 | }{
15 | "if empty string set, no values": {
16 | val: "",
17 | expError: false,
18 | expValues: make(map[string][]string),
19 | },
20 | "if only key then error": {
21 | val: "key1",
22 | expError: true,
23 | expValues: make(map[string][]string),
24 | },
25 | "if single key value return": {
26 | val: "key1=foo",
27 | expError: false,
28 | expValues: map[string][]string{
29 | "key1": []string{"foo"},
30 | },
31 | },
32 | "if two keys with two values return": {
33 | val: "key1=foo,key2=bar",
34 | expError: false,
35 | expValues: map[string][]string{
36 | "key1": []string{"foo"},
37 | "key2": []string{"bar"},
38 | },
39 | },
40 | "if 3 keys with 5 values return": {
41 | val: "key1=foo,key2=bar,key1=a,key2=c,key3=c",
42 | expError: false,
43 | expValues: map[string][]string{
44 | "key1": []string{"foo", "a"},
45 | "key2": []string{"bar", "c"},
46 | "key3": []string{"c"},
47 | },
48 | },
49 | "if key with no value error": {
50 | val: "key1=foo,key2=bar,key1=a,key2=c,key3",
51 | expError: true,
52 | expValues: make(map[string][]string),
53 | },
54 | }
55 |
56 | for name, test := range tests {
57 | t.Run(name, func(t *testing.T) {
58 | s := new(stringToStringSliceValue)
59 |
60 | err := s.Set(test.val)
61 | if test.expError != (err != nil) {
62 | t.Errorf("got unexpected error: %v", err)
63 | t.FailNow()
64 | }
65 |
66 | match := true
67 | if s.values == nil {
68 | if test.expValues != nil {
69 | match = false
70 | }
71 | } else if !reflect.DeepEqual(test.expValues, *s.values) {
72 | match = false
73 | }
74 |
75 | if !match {
76 | t.Errorf("unexpected values, exp=%v got=%v", test.expValues, *s.values)
77 | }
78 | })
79 | }
80 | }
81 |
--------------------------------------------------------------------------------
/hack/update-vendor.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | # Copyright 2019 The Kubernetes Authors.
3 | #
4 | # Licensed under the Apache License, Version 2.0 (the "License");
5 | # you may not use this file except in compliance with the License.
6 | # You may obtain a copy of the License at
7 | #
8 | # http://www.apache.org/licenses/LICENSE-2.0
9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 |
16 | set -o errexit
17 | set -o nounset
18 | set -o pipefail
19 |
20 | REPO_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
21 |
22 | # Usage:
23 | # hack/pin-dependency.sh $MODULE $SHA-OR-TAG
24 | #
25 | # Example:
26 | # hack/pin-dependency.sh github.com/docker/docker 501cb131a7b7
27 |
28 | # Explicitly opt into go modules, even though we're inside a GOPATH directory
29 | export GO111MODULE=on
30 | # Explicitly clear GOPATH, to ensure nothing this script calls makes use of that path info
31 | export GOPATH=
32 | # Explicitly clear GOFLAGS, since GOFLAGS=-mod=vendor breaks dependency resolution while rebuilding vendor
33 | export GOFLAGS=
34 | # Detect problematic GOPROXY settings that prevent lookup of dependencies
35 | if [[ "${GOPROXY:-}" == "off" ]]; then
36 | echo "Cannot run hack/pin-dependency.sh with \$GOPROXY=off"
37 | exit 1
38 | fi
39 |
40 | dep="${1:-}"
41 | sha="${2:-}"
42 | if [[ -z "${dep}" || -z "${sha}" ]]; then
43 | echo "Usage:"
44 | echo " hack/pin-dependency.sh \$MODULE \$SHA-OR-TAG"
45 | echo ""
46 | echo "Example:"
47 | echo " hack/pin-dependency.sh github.com/docker/docker 501cb131a7b7"
48 | echo ""
49 | exit 1
50 | fi
51 |
52 | # Add the require directive
53 | echo "Running: go get ${dep}@${sha}"
54 | go get -d "${dep}@${sha}"
55 |
56 | # Find the resolved version
57 | rev=$(go mod edit -json | jq -r ".Require[] | select(.Path == \"${dep}\") | .Version")
58 | echo "Resolved to ${dep}@${rev}"
59 |
60 | # Add the replace directive
61 | echo "Running: go mod edit -replace ${dep}=${dep}@${rev}"
62 | go mod edit -replace "${dep}=${dep}@${rev}"
63 |
--------------------------------------------------------------------------------
/pkg/util/flags/string_to_string_slice.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package flags
3 |
4 | import (
5 | "bytes"
6 | "encoding/csv"
7 | "fmt"
8 | "strings"
9 |
10 | "github.com/spf13/pflag"
11 | )
12 |
13 | // This is a struct to implement the pflag.Value interface to introduce a
14 | // map[string][]string flag type.
15 | type stringToStringSliceValue struct {
16 | values *map[string][]string
17 | }
18 |
19 | var _ pflag.Value = &stringToStringSliceValue{}
20 |
21 | // NewStringToStringSliceValue returns a pflag.Value interface that implements
22 | // a flag that takes values into the map[string][]slice data structure.
23 | func NewStringToStringSliceValue(p *map[string][]string) pflag.Value {
24 | return &stringToStringSliceValue{
25 | values: p,
26 | }
27 | }
28 |
29 | // This format is expecting a list of key value pairs, seperated by commas. A
30 | // single index may have multiple entries.
31 | // e.g.: a=-7,b=2,a=3
32 | func (s *stringToStringSliceValue) Set(val string) error {
33 | if s.values == nil {
34 | m := make(map[string][]string)
35 | s.values = &m
36 | }
37 |
38 | if *s.values == nil {
39 | *s.values = make(map[string][]string)
40 | }
41 |
42 | if len(val) == 0 {
43 | return nil
44 | }
45 |
46 | var ss []string
47 |
48 | r := csv.NewReader(strings.NewReader(val))
49 | var err error
50 | ss, err = r.Read()
51 | if err != nil {
52 | *s.values = make(map[string][]string)
53 | return err
54 | }
55 |
56 | for _, pair := range ss {
57 | kv := strings.Split(pair, "=")
58 | if len(kv) != 2 {
59 | *s.values = make(map[string][]string)
60 | return fmt.Errorf("%s must be formatted as key=value", pair)
61 | }
62 |
63 | (*s.values)[kv[0]] = append((*s.values)[kv[0]], kv[1])
64 | }
65 |
66 | return nil
67 | }
68 |
69 | func (s *stringToStringSliceValue) Type() string {
70 | return "stringToStringSlice"
71 | }
72 |
73 | func (s *stringToStringSliceValue) String() string {
74 | var records []string
75 | for k, vs := range *s.values {
76 | for _, v := range vs {
77 | records = append(records, k+"="+v)
78 | }
79 | }
80 |
81 | var buf bytes.Buffer
82 | w := csv.NewWriter(&buf)
83 | if err := w.Write(records); err != nil {
84 | panic(err)
85 | }
86 |
87 | w.Flush()
88 | return "[" + strings.TrimSpace(buf.String()) + "]"
89 | }
90 |
--------------------------------------------------------------------------------
/test/e2e/framework/helper/token.go:
--------------------------------------------------------------------------------
1 | // Copyright Jetstack Ltd. See LICENSE for details.
2 | package helper
3 |
4 | import (
5 | "crypto/tls"
6 | "crypto/x509"
7 | "fmt"
8 | "net/http"
9 | "net/url"
10 | "time"
11 |
12 | jose "gopkg.in/square/go-jose.v2"
13 | "k8s.io/client-go/rest"
14 |
15 | "github.com/jetstack/kube-oidc-proxy/test/util"
16 | )
17 |
18 | func (h *Helper) NewValidRestConfig(issuerBundle, proxyBundle *util.KeyBundle,
19 | issuerURL, proxyURL *url.URL, clientID string) (*rest.Config, error) {
20 |
21 | // Valid token with exp in 10 minutes
22 | tokenPayload := h.NewTokenPayload(issuerURL, clientID,
23 | time.Now().Add(time.Minute*10))
24 | signedToken, err := h.SignToken(issuerBundle, tokenPayload)
25 | if err != nil {
26 | return nil, fmt.Errorf("failed to sign token %q: %s", tokenPayload, err)
27 | }
28 |
29 | certPool := x509.NewCertPool()
30 | if ok := certPool.AppendCertsFromPEM(proxyBundle.CertBytes); !ok {
31 | return nil, fmt.Errorf("failed to append proxy cert data to cert pool %s", proxyBundle.CertBytes)
32 | }
33 |
34 | return &rest.Config{
35 | Host: proxyURL.String(),
36 | Burst: rest.DefaultBurst,
37 | BearerToken: signedToken,
38 | Transport: &http.Transport{
39 | TLSClientConfig: &tls.Config{
40 | RootCAs: certPool,
41 | },
42 | },
43 | }, nil
44 | }
45 |
46 | func (h *Helper) SignToken(issuerBundle *util.KeyBundle, tokenPayload []byte) (string, error) {
47 | signer, err := jose.NewSigner(jose.SigningKey{
48 | Algorithm: jose.SignatureAlgorithm("RS256"),
49 | Key: issuerBundle.Key,
50 | }, nil)
51 | if err != nil {
52 | return "", fmt.Errorf("failed to initialise new jwt signer: %s", err)
53 | }
54 |
55 | jwt, err := signer.Sign(tokenPayload)
56 | if err != nil {
57 | return "", fmt.Errorf("failed to sign jwt: %s", err)
58 | }
59 |
60 | signedToken, err := jwt.CompactSerialize()
61 | if err != nil {
62 | return "", err
63 | }
64 |
65 | return signedToken, nil
66 | }
67 |
68 | func (h *Helper) NewTokenPayload(issuerURL *url.URL, clientID string, exp time.Time) []byte {
69 | // Valid for 10 mins
70 | return []byte(fmt.Sprintf(`{
71 | "iss":"%s",
72 | "aud":["%s","aud-2"],
73 | "email":"user@example.com",
74 | "groups":["group-1","group-2"],
75 | "exp":%d
76 | }`, issuerURL, clientID, exp.Unix()))
77 | }
78 |
--------------------------------------------------------------------------------
/demo/manifests/components/landingpage/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | Kube-OIDC-Proxy
7 |
8 |
9 |
10 |
11 |
29 |
30 |
31 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 | #CONTENT#
52 |
53 |
54 |
55 |